[lxc-devel] [lxd/master] seccomp: test flag parsing and log ignored flags

brauner on Github lxc-bot at linuxcontainers.org
Thu Nov 14 00:08:38 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191113/2cd638b0/attachment.bin>
-------------- next part --------------
From f66b593ac87a4764b3df38a3b04111d7a23f48c6 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 14 Nov 2019 01:06:32 +0100
Subject: [PATCH] seccomp: test flag parsing and log ignored flags

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/seccomp/seccomp.go      | 14 +++++++++++++-
 lxd/seccomp/seccomp_test.go | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 lxd/seccomp/seccomp_test.go

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 7c0e0f4b33..0df76ba719 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -1178,6 +1178,13 @@ type MountArgs struct {
 	shift  bool
 }
 
+const knownFlags C.ulong = C.MS_BIND | C.MS_LAZYTIME | C.MS_MANDLOCK |
+	C.MS_NOATIME | C.MS_NODEV | C.MS_NODIRATIME |
+	C.MS_NOEXEC | C.MS_NOSUID | C.MS_REMOUNT |
+	C.MS_RDONLY | C.MS_STRICTATIME |
+	C.MS_SYNCHRONOUS | C.MS_BIND
+const knownFlagsRecursive C.ulong = knownFlags | C.MS_REC
+
 var mountFlagsToOptMap = map[C.ulong]string{
 	C.MS_BIND:            "bind",
 	C.ulong(0):           "defaults",
@@ -1320,7 +1327,12 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 	}
 
 	if fuseBinary != "" {
-		addOpts := mountFlagsToOpts(C.ulong(args.flags))
+		// Record ignored flags for debugging purposes
+		flags := C.ulong(args.flags)
+		ignoredFlags := flags &^ (knownFlagsRecursive | C.MS_MGC_MSK)
+		ctx["fuse_ignored_flags"] = fmt.Sprintf("%x", ignoredFlags)
+
+		addOpts := mountFlagsToOpts(flags)
 
 		fuseSource := fmt.Sprintf("%s#%s", fuseBinary, args.source)
 		fuseOpts := ""
diff --git a/lxd/seccomp/seccomp_test.go b/lxd/seccomp/seccomp_test.go
new file mode 100644
index 0000000000..6d46dd797b
--- /dev/null
+++ b/lxd/seccomp/seccomp_test.go
@@ -0,0 +1,21 @@
+// +build linux
+// +build cgo
+
+package seccomp
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestMountFlagsToOpts(t *testing.T) {
+	opts := mountFlagsToOpts(knownFlags)
+	if opts != "ro,nosuid,nodev,noexec,sync,remount,mand,noatime,nodiratime,bind,strictatime,lazytime" {
+		t.Fatal(fmt.Errorf("Mount options parsing failed with invalid option string: %s", opts))
+	}
+
+	opts = mountFlagsToOpts(knownFlagsRecursive)
+	if opts != "ro,nosuid,nodev,noexec,sync,remount,mand,noatime,nodiratime,rbind,strictatime,lazytime" {
+		t.Fatal(fmt.Errorf("Mount options parsing failed with invalid option string: %s", opts))
+	}
+}

More information about the lxc-devel mailing list