support new libseccomp api

configure.ac

@@ -115,6 +115,9 @@ AM_COND_IF([ENABLE_SECCOMP],
      AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
      AC_SUBST([SECCOMP_LIBS], [-lseccomp])])
 
+# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include <seccomp.h>])
+
 AM_CONDITIONAL([ENABLE_DOCBOOK], [test "x$db2xman" != "x"])
 
 AC_ARG_ENABLE([examples],

src/lxc/conf.c

@@ -66,6 +66,8 @@
 #include <apparmor.h>
 #endif
 
+#include "lxcseccomp.h"
+
 lxc_log_define(lxc_conf, lxc);
 
 #define MAXHWLEN    18
@@ -2760,8 +2762,7 @@ void lxc_conf_free(struct lxc_conf *conf)
 	if (conf->aa_profile)
 		free(conf->aa_profile);
 #endif
-	if (conf->seccomp)
-		free(conf->seccomp);
+	lxc_seccomp_free(conf);
 	lxc_clear_config_caps(conf);
 	lxc_clear_cgroups(conf, "lxc.cgroup");
 	lxc_clear_hooks(conf, "lxc.hook");

src/lxc/conf.h

@@ -32,6 +32,10 @@
 
 #include <lxc/start.h> /* for lxc_handler */
 
+#if HAVE_SCMP_FILTER_CTX
+typedef void * scmp_filter_ctx;
+#endif
+
 enum {
 	LXC_NET_EMPTY,
 	LXC_NET_VETH,
@@ -246,6 +250,9 @@ struct lxc_conf {
 	int lsm_umount_proc;
 #endif
 	char *seccomp;  // filename with the seccomp rules
+#if HAVE_SCMP_FILTER_CTX
+	scmp_filter_ctx *seccomp_ctx;
+#endif
 	int maincmd_fd;
 	int autodev;  // if 1, mount and fill a /dev at start
 };

src/lxc/lxcseccomp.h

@@ -28,6 +28,7 @@
 #ifdef HAVE_SECCOMP
 int lxc_seccomp_load(struct lxc_conf *conf);
 int lxc_read_seccomp_config(struct lxc_conf *conf);
+void lxc_seccomp_free(struct lxc_conf *conf);
 #else
 static inline int lxc_seccomp_load(struct lxc_conf *conf) {
 	return 0;
@@ -36,6 +37,13 @@ static inline int lxc_seccomp_load(struct lxc_conf *conf) {
 static inline int lxc_read_seccomp_config(struct lxc_conf *conf) {
 	return 0;
 }
+
+static inline void lxc_seccomp_free(struct lxc_conf *conf) {
+	if (conf->seccomp) {
+		free(conf->seccomp);
+		conf->seccomp = NULL;
+	}
+}
 #endif
 
 #endif

src/lxc/seccomp.c

@@ -27,6 +27,7 @@
 #include <seccomp.h>
 #include <errno.h>
 #include <seccomp.h>
+#include "config.h"
 #include "lxcseccomp.h"
 
 #include "log.h"
@@ -69,7 +70,11 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
 		ret = sscanf(line, "%d", &nr);
 		if (ret != 1)
 			return -1;
-		ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);
+		ret = seccomp_rule_add(
+#if HAVE_SCMP_FILTER_CTX
+			conf->seccomp_ctx,
+#endif
+			SCMP_ACT_ALLOW, nr, 0);
 		if (ret < 0) {
 			ERROR("failed loading allow rule for %d\n", nr);
 			return ret;
@@ -83,16 +88,28 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
 	FILE *f;
 	int ret;
 
-	if (seccomp_init(SCMP_ACT_ERRNO(31)) < 0)  { /* for debug, pass in SCMP_ACT_TRAP */
+	if (!conf->seccomp)
+		return 0;
+
+#if HAVE_SCMP_FILTER_CTX
+	/* XXX for debug, pass in SCMP_ACT_TRAP */
+	conf->seccomp_ctx = seccomp_init(SCMP_ACT_ERRNO(31));
+	ret = !conf->seccomp_ctx;
+#else
+	ret = seccomp_init(SCMP_ACT_ERRNO(31)) < 0;
+#endif
+	if (ret) {
 		ERROR("failed initializing seccomp");
 		return -1;
 	}
-	if (!conf->seccomp)
-		return 0;
 
 	/* turn of no-new-privs.  We don't want it in lxc, and it breaks
 	 * with apparmor */
-	if (seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0)) {
+	if (seccomp_attr_set(
+#if HAVE_SCMP_FILTER_CTX
+			conf->seccomp_ctx,
+#endif
+			SCMP_FLTATR_CTL_NNP, 0)) {
 		ERROR("failed to turn off n-new-privs\n");
 		return -1;
 	}
@@ -112,10 +129,27 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 	int ret;
 	if (!conf->seccomp)
 		return 0;
-	ret = seccomp_load();
+	ret = seccomp_load(
+#if HAVE_SCMP_FILTER_CTX
+			conf->seccomp_ctx
+#endif
+	);
 	if (ret < 0) {
 		ERROR("Error loading the seccomp policy");
 		return -1;
 	}
 	return 0;
 }
+
+void lxc_seccomp_free(struct lxc_conf *conf) {
+	if (conf->seccomp) {
+		free(conf->seccomp);
+		conf->seccomp = NULL;
+	}
+#if HAVE_SCMP_FILTER_CTX
+	if (conf->seccomp_ctx) {
+		seccomp_release(conf->seccomp_ctx);
+		conf->seccomp_ctx = NULL;
+	}
+#endif
+}