Skip to content

L
lxc
Unverified Commit babd8f1d by Christian Brauner
Options

seccomp: handle arch inversion

This commit deals with different kernel and userspace layouts and nesting. Here are three examples: 1. 64bit kernel and 64bit userspace running 32bit containers 2. 64bit kernel and 32bit userspace running 64bit containers 3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers Two things to lookout for: 1. The compat arch that is detected might have already been present in the main context. So check that it actually hasn't been and only then add it. 2. The contexts don't need merging if the architectures are the same and also can't be. With these changes I can run all crazy/weird combinations with proper seccomp isolation. Closes #654. Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366Reported-by: 's avatarChirantan Ekbote <chirantan@chromium.org> Reported-by: 's avatarSonny Rao <sonnyrao@chromium.org> Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
parent 19e75fa0
Showing with 20 additions and 4 deletions
src/lxc/seccomp.c
...@@ -370,6 +370,8 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ ...@@ -370,6 +370,8 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
WARN("Failed to turn on seccomp nop-skip, continuing"); WARN("Failed to turn on seccomp nop-skip, continuing");
} }
#endif #endif
if (seccomp_arch_exist(ctx, arch) == -EEXIST) {
ret = seccomp_arch_add(ctx, arch); ret = seccomp_arch_add(ctx, arch);
if (ret != 0) { if (ret != 0) {
ERROR("Seccomp error %d (%s) adding arch: %d", ret, ERROR("Seccomp error %d (%s) adding arch: %d", ret,
...@@ -377,11 +379,13 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ ...@@ -377,11 +379,13 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
seccomp_release(ctx); seccomp_release(ctx);
return NULL; return NULL;
} }
if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) { if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
ERROR("Seccomp error removing native arch"); ERROR("Seccomp error removing native arch");
seccomp_release(ctx); seccomp_release(ctx);
return NULL; return NULL;
} }
}
return ctx; return ctx;
} }
...@@ -772,12 +776,24 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) ...@@ -772,12 +776,24 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
} }
if (compat_ctx[0]) { if (compat_ctx[0]) {
INFO("Merging in the compat Seccomp ctx into the main one"); INFO("Merging compat seccomp contexts into main context");
if (seccomp_merge(conf->seccomp_ctx, compat_ctx[0]) != 0 || if (compat_arch[0] != native_arch && compat_arch[0] != seccomp_arch_native()) {
(compat_ctx[1] != NULL && seccomp_merge(conf->seccomp_ctx, compat_ctx[1]) != 0)) { ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[0]);
ERROR("Error merging compat Seccomp contexts"); if (ret < 0) {
ERROR("Failed to merge first compat seccomp context into main context");
goto bad;
}
TRACE("Merged first compat seccomp context into main context");
}
if (compat_arch[1] && compat_arch[1] != native_arch && compat_arch[1] != seccomp_arch_native()) {
ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[1]);
if (ret < 0) {
ERROR("Failed to merge first compat seccomp context into main context");
goto bad; goto bad;
} }
TRACE("Merged second compat seccomp context into main context");
}
} }
return 0; return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment