[lxc-devel] [lxc/master] seccomp: set SCMP_FLTATR_ATL_TSKIP if available

Mon, 06 Mar 2017 11:43:16 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1453

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

	The tracer can skip the system call by changing the system call  number  to  -1.

and see the seccomp issue #80

From 92c2978d9c0968bc3e1c959a8a0f86df20fd8421 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <se...@hallyn.com>
Date: Mon, 6 Mar 2017 13:36:19 -0600
Subject: [PATCH] seccomp: set SCMP_FLTATR_ATL_TSKIP if available

Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

        The tracer can skip the system call by changing the system call  number 
 to  -1.

and see the seccomp issue #80
---
 src/lxc/seccomp.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 0ce758b..b6a316f 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -221,6 +221,11 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, 
uint32_t default_policy_
                seccomp_release(ctx);
                return NULL;
        }
+#ifdef SCMP_FLTATR_ATL_TSKIP
+       if (seccomp_attr_set(ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
+               WARN("Failed to turn on seccomp nop-skip, continuing");
+       }
+#endif
        ret = seccomp_arch_add(ctx, arch);
        if (ret != 0) {
                ERROR("Seccomp error %d (%s) adding arch: %d", ret,
@@ -396,6 +401,11 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                        ERROR("Failed to turn off n-new-privs.");
                        return -1;
                }
+#ifdef SCMP_FLTATR_ATL_TSKIP
+               if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 
1)) {
+                       WARN("Failed to turn on seccomp nop-skip, continuing");
+               }
+#endif
        }
 
        while (fgets(line, 1024, f)) {
@@ -717,7 +727,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
                return -1;
        }
 
-/* turn of no-new-privs.  We don't want it in lxc, and it breaks
+/* turn off no-new-privs.  We don't want it in lxc, and it breaks
  * with apparmor */
 #if HAVE_SCMP_FILTER_CTX
        check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, 
SCMP_FLTATR_CTL_NNP, 0);
@@ -728,6 +738,11 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
                ERROR("Failed to turn off n-new-privs.");
                return -1;
        }
+#ifdef SCMP_FLTATR_ATL_TSKIP
+       if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
+               WARN("Failed to turn on seccomp nop-skip, continuing");
+       }
+#endif
 
        f = fopen(conf->seccomp, "r");
        if (!f) {

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to