attach: try to use the container's seccomp policy

We can't get the actual policy (in the case where the policy file has changed) from the container, but at least we can use the seccomp policy file listed in the container config file. (If anyone wants to further improve this, it may be better to get the seccomp policy over the cmd api; not sure that's what we want, and this seems simpler to hook into the existing code, so I went this way for now) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

attach: try to use the container's seccomp policy
2c4ea790 · Serge Hallyn · Stéphane Graber · 58e0f57d · 2c4ea790 · 2c4ea790
Commit 2c4ea790 authored Feb 17, 2014 by Serge Hallyn Committed by Stéphane Graber Feb 17, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 0 deletions

attach.c src/lxc/attach.c +37 -0

attach.h src/lxc/attach.h +3 -0

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -51,6 +51,9 @@
 #include "commands.h"
 #include "cgroup.h"
 #include "lxclock.h"
+#include "conf.h"
+#include "lxcseccomp.h"
+#include <lxc/lxccontainer.h>
 #include "lsm/lsm.h"

 #if HAVE_SYS_PERSONALITY_H
@@ -135,6 +138,8 @@ static void lxc_proc_put_context_info(struct lxc_proc_context_info *ctx)
 {
 	if (ctx->lsm_label)
 		free(ctx->lsm_label);
+	if (ctx->container)
+		lxc_container_put(ctx->container);
 	free(ctx);
 }

@@ -593,6 +598,28 @@ static int attach_child_main(void* data);
 /* define default options if no options are supplied by the user */
 static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;

+static bool fetch_seccomp(const char *name, const char *lxcpath,
+		struct lxc_proc_context_info *i, lxc_attach_options_t *options)
+{
+	struct lxc_container *c;
+	
+	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+		return true;
+
+	c = lxc_container_new(name, lxcpath);
+	if (!c)
+		return false;
+	i->container = c;
+	if (!c->lxc_conf)
+		return false;
+	if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
+		ERROR("Error reaading seccomp policy");
+		return false;
+	}
+
+	return true;
+}
+
 int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_function, void* exec_payload, lxc_attach_options_t* options, pid_t* attached_process)
 {
 	int ret, status;
@@ -617,6 +644,9 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 		return -1;
 	}

+	if (!fetch_seccomp(name, lxcpath, init_ctx, options))
+		WARN("Failed to get seccomp policy");
+
 	cwd = getcwd(NULL, 0);

 	/* determine which namespaces the container was created with
@@ -993,6 +1023,13 @@ static int attach_child_main(void* data)
 			rexit(-1);
 		}
 	}
+
+	if (init_ctx->container && init_ctx->container->lxc_conf &&
+			lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+		ERROR("Loading seccomp policy");
+		rexit(-1);
+	}
+
 	lxc_proc_put_context_info(init_ctx);

 	/* The following is done after the communication socket is

--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -27,8 +27,11 @@
 #include <sys/types.h>
 #include <lxc/attach_options.h>

+struct lxc_conf;
+
 struct lxc_proc_context_info {
 	char *lsm_label;
+	struct lxc_container *container;
 	unsigned long personality;
 	unsigned long long capability_mask;
 };