On Mon, Feb 17, 2014 at 12:47:35PM -0600, Serge Hallyn wrote: > We can't get the actual policy (in the case where the policy file > has changed) from the container, but at least we can use the > seccomp policy file listed in the container config file. > > (If anyone wants to further improve this, it may be better to get > the seccomp policy over the cmd api; not sure that's what we want, > and this seems simpler to hook into the existing code, so I went > this way for now) > > Signed-off-by: Serge Hallyn <[email protected]>
Acked-by: Stéphane Graber <[email protected]> > --- > src/lxc/attach.c | 37 +++++++++++++++++++++++++++++++++++++ > src/lxc/attach.h | 3 +++ > 2 files changed, 40 insertions(+) > > diff --git a/src/lxc/attach.c b/src/lxc/attach.c > index a59dae3..31a5ae7 100644 > --- a/src/lxc/attach.c > +++ b/src/lxc/attach.c > @@ -51,6 +51,9 @@ > #include "commands.h" > #include "cgroup.h" > #include "lxclock.h" > +#include "conf.h" > +#include "lxcseccomp.h" > +#include <lxc/lxccontainer.h> > #include "lsm/lsm.h" > > #if HAVE_SYS_PERSONALITY_H > @@ -135,6 +138,8 @@ static void lxc_proc_put_context_info(struct > lxc_proc_context_info *ctx) > { > if (ctx->lsm_label) > free(ctx->lsm_label); > + if (ctx->container) > + lxc_container_put(ctx->container); > free(ctx); > } > > @@ -593,6 +598,28 @@ static int attach_child_main(void* data); > /* define default options if no options are supplied by the user */ > static lxc_attach_options_t attach_static_default_options = > LXC_ATTACH_OPTIONS_DEFAULT; > > +static bool fetch_seccomp(const char *name, const char *lxcpath, > + struct lxc_proc_context_info *i, lxc_attach_options_t *options) > +{ > + struct lxc_container *c; > + > + if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & > LXC_ATTACH_LSM)) > + return true; > + > + c = lxc_container_new(name, lxcpath); > + if (!c) > + return false; > + i->container = c; > + if (!c->lxc_conf) > + return false; > + if (lxc_read_seccomp_config(c->lxc_conf) < 0) { > + ERROR("Error reaading seccomp policy"); > + return false; > + } > + > + return true; > +} > + > int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t > exec_function, void* exec_payload, lxc_attach_options_t* options, pid_t* > attached_process) > { > int ret, status; > @@ -617,6 +644,9 @@ int lxc_attach(const char* name, const char* lxcpath, > lxc_attach_exec_t exec_fun > return -1; > } > > + if (!fetch_seccomp(name, lxcpath, init_ctx, options)) > + WARN("Failed to get seccomp policy"); > + > cwd = getcwd(NULL, 0); > > /* determine which namespaces the container was created with > @@ -993,6 +1023,13 @@ static int attach_child_main(void* data) > rexit(-1); > } > } > + > + if (init_ctx->container && init_ctx->container->lxc_conf && > + lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) { > + ERROR("Loading seccomp policy"); > + rexit(-1); > + } > + > lxc_proc_put_context_info(init_ctx); > > /* The following is done after the communication socket is > diff --git a/src/lxc/attach.h b/src/lxc/attach.h > index 3d10777..8c833b1 100644 > --- a/src/lxc/attach.h > +++ b/src/lxc/attach.h > @@ -27,8 +27,11 @@ > #include <sys/types.h> > #include <lxc/attach_options.h> > > +struct lxc_conf; > + > struct lxc_proc_context_info { > char *lsm_label; > + struct lxc_container *container; > unsigned long personality; > unsigned long long capability_mask; > }; > -- > 1.9.rc1 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
