attach: move loading seccomp as late as possible

We want to minimize the change that the profile blocks syscalls we need during attach setup and has the notifier enabled. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: move loading seccomp as late as possible
e18aba7d · Christian Brauner · 92466fe3 · e18aba7d
Unverified Commit e18aba7d authored Feb 02, 2021 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 12 deletions

attach.c src/lxc/attach.c +12 -12

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1130,18 +1130,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		TRACE("Set PR_SET_NO_NEW_PRIVS");
 	}

-	if (conf->seccomp.seccomp) {
-		ret = lxc_seccomp_load(conf);
-		if (ret < 0)
-			goto on_error;
-
-		TRACE("Loaded seccomp profile");
-
-		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
-		if (ret < 0)
-			goto on_error;
-	}
-
 	/* The following is done after the communication socket is shut down.
 	 * That way, all errors that might (though unlikely) occur up until this
 	 * point will have their messages printed to the original stderr (if
@@ -1210,6 +1198,18 @@ __noreturn static void do_attach(struct attach_payload *ap)
 	if (ret)
 		INFO("Failed to adjust stdio permissions");

+	if (conf->seccomp.seccomp) {
+		ret = lxc_seccomp_load(conf);
+		if (ret < 0)
+			goto on_error;
+
+		TRACE("Loaded seccomp profile");
+
+		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
+		if (ret < 0)
+			goto on_error;
+	}
+
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
 		goto on_error;