Re: [lxc-devel] [PATCH 1/1] seccomp: add 'lxc.seccomp.optional'

Mon, 17 Feb 2014 14:17:11 -0800 

On Mon, Feb 17, 2014 at 02:05:10PM -0600, Serge Hallyn wrote:
> If that is set, then if reading the policy failed, we continue
> without trying to load seccomp.  (If reading the policy
> succeeded, then we do not ignore failure to load the policy;
> we could consider doing that as well, however the goal here
> is to have a generic container configuration work whether
> the host has seccompv2 support or not)
> 
> Signed-off-by: Serge Hallyn <[email protected]>

Acked-by: Stéphane Graber <[email protected]>

> ---
>  src/lxc/attach.c  | 10 ++++++++--
>  src/lxc/conf.h    |  1 +
>  src/lxc/confile.c | 15 +++++++++++++++
>  src/lxc/start.c   |  9 +++++++--
>  4 files changed, 31 insertions(+), 4 deletions(-)
> 
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index 31a5ae7..600332a 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -613,8 +613,14 @@ static bool fetch_seccomp(const char *name, const char 
> *lxcpath,
>       if (!c->lxc_conf)
>               return false;
>       if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
> -             ERROR("Error reaading seccomp policy");
> -             return false;
> +             if (c->lxc_conf->seccomp_optional) {
> +                     WARN("Ignoring error loading seccomp policy.");
> +                     lxc_container_put(c);
> +                     i->container = NULL;
> +             } else {
> +                     ERROR("Error reaading seccomp policy");
> +                     return false;
> +             }
>       }
>  
>       return true;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 4591470..3622287 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -303,6 +303,7 @@ struct lxc_conf {
>       char *lsm_se_context;
>       int tmp_umount_proc;
>       char *seccomp;  // filename with the seccomp rules
> +     bool seccomp_optional;  // proceed if seccomp_load fails
>  #if HAVE_SCMP_FILTER_CTX
>       scmp_filter_ctx *seccomp_ctx;
>  #endif
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index afc9e32..bc99e45 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -89,6 +89,7 @@ static int config_cap_drop(const char *, const char *, 
> struct lxc_conf *);
>  static int config_cap_keep(const char *, const char *, struct lxc_conf *);
>  static int config_console(const char *, const char *, struct lxc_conf *);
>  static int config_seccomp(const char *, const char *, struct lxc_conf *);
> +static int config_seccomp_opt(const char *, const char *, struct lxc_conf *);
>  static int config_includefile(const char *, const char *, struct lxc_conf *);
>  static int config_network_nic(const char *, const char *, struct lxc_conf *);
>  static int config_autodev(const char *, const char *, struct lxc_conf *);
> @@ -143,6 +144,7 @@ static struct lxc_config_t config[] = {
>       { "lxc.cap.drop",             config_cap_drop             },
>       { "lxc.cap.keep",             config_cap_keep             },
>       { "lxc.console",              config_console              },
> +     { "lxc.seccomp.optional",     config_seccomp_opt          },
>       { "lxc.seccomp",              config_seccomp              },
>       { "lxc.include",              config_includefile          },
>       { "lxc.autodev",              config_autodev              },
> @@ -928,6 +930,19 @@ static int config_seccomp(const char *key, const char 
> *value,
>       return config_path_item(&lxc_conf->seccomp, value);
>  }
>  
> +static int config_seccomp_opt(const char *key, const char *value,
> +                              struct lxc_conf *lxc_conf)
> +{
> +     int opt, ret;
> +
> +     ret = sscanf(value, "%d", &opt);
> +     if (ret != 1)
> +             return -1;
> +     lxc_conf->seccomp_optional = opt == 1;
> +
> +     return 0;
> +}
> +
>  static int config_hook(const char *key, const char *value,
>                                struct lxc_conf *lxc_conf)
>  {
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 5b3b6eb..8c3c40f 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -381,8 +381,13 @@ struct lxc_handler *lxc_init(const char *name, struct 
> lxc_conf *conf, const char
>               goto out_free_name;
>  
>       if (lxc_read_seccomp_config(conf) != 0) {
> -             ERROR("failed loading seccomp policy");
> -             goto out_close_maincmd_fd;
> +             if (conf->seccomp_optional) {
> +                     WARN("Ignoring error loading seccomp policy.");
> +                     lxc_seccomp_free(conf);
> +             } else {
> +                     ERROR("Exiting on failure to load seccomp policy");
> +                     goto out_close_maincmd_fd;
> +             }
>       }
>  
>       /* Begin by setting the state to STARTING */
> -- 
> 1.9.rc1
> 
> _______________________________________________
> lxc-devel mailing list
> [email protected]
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

Attachment: signature.asc
Description: Digital signature

_______________________________________________
lxc-devel mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to