[lxc-devel] [lxc/master] start: move reading seccomp profile after pre-start hook
brauner on Github
lxc-bot at linuxcontainers.org
Fri Mar 20 14:27:59 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 440 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200320/ac5e8ad9/attachment.bin>
-------------- next part --------------
From 2e1361a686f31f1363296fa7bcf71753d103dbca Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 20 Mar 2020 15:25:41 +0100
Subject: [PATCH] start: move reading seccomp profile after pre-start hook
This allows users to generate custom profiles at startup.
Closes #1848.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/start.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index c82fb89887..62152a6f60 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -737,11 +737,6 @@ int lxc_init(const char *name, struct lxc_handler *handler)
lsm_init();
TRACE("Initialized LSM");
- ret = lxc_read_seccomp_config(conf);
- if (ret < 0)
- return log_error(-1, "Failed loading seccomp policy");
- TRACE("Read seccomp policy");
-
/* Begin by setting the state to STARTING. */
ret = lxc_set_state(name, handler, STARTING);
if (ret < 0)
@@ -840,6 +835,11 @@ int lxc_init(const char *name, struct lxc_handler *handler)
}
TRACE("Initialized cgroup driver");
+ ret = lxc_read_seccomp_config(conf);
+ if (ret < 0)
+ return log_error(-1, "Failed loading seccomp policy");
+ TRACE("Read seccomp policy");
+
ret = lsm_process_prepare(conf, handler->lxcpath);
if (ret < 0) {
ERROR("Failed to initialize LSM");
More information about the lxc-devel
mailing list