[lxc-devel] [lxd/master] seccomp: test flag parsing and log ignored flags

brauner on Github Wed, 13 Nov 2019 16:09:39 -0800

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6454


This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>

From f66b593ac87a4764b3df38a3b04111d7a23f48c6 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Thu, 14 Nov 2019 01:06:32 +0100
Subject: [PATCH] seccomp: test flag parsing and log ignored flags

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 lxd/seccomp/seccomp.go      | 14 +++++++++++++-
 lxd/seccomp/seccomp_test.go | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 lxd/seccomp/seccomp_test.go

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 7c0e0f4b33..0df76ba719 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -1178,6 +1178,13 @@ type MountArgs struct {
        shift  bool
 }
 
+const knownFlags C.ulong = C.MS_BIND | C.MS_LAZYTIME | C.MS_MANDLOCK |
+       C.MS_NOATIME | C.MS_NODEV | C.MS_NODIRATIME |
+       C.MS_NOEXEC | C.MS_NOSUID | C.MS_REMOUNT |
+       C.MS_RDONLY | C.MS_STRICTATIME |
+       C.MS_SYNCHRONOUS | C.MS_BIND
+const knownFlagsRecursive C.ulong = knownFlags | C.MS_REC
+
 var mountFlagsToOptMap = map[C.ulong]string{
        C.MS_BIND:            "bind",
        C.ulong(0):           "defaults",
@@ -1320,7 +1327,12 @@ func (s *Server) HandleMountSyscall(c Instance, siov 
*Iovec) int {
        }
 
        if fuseBinary != "" {
-               addOpts := mountFlagsToOpts(C.ulong(args.flags))
+               // Record ignored flags for debugging purposes
+               flags := C.ulong(args.flags)
+               ignoredFlags := flags &^ (knownFlagsRecursive | C.MS_MGC_MSK)
+               ctx["fuse_ignored_flags"] = fmt.Sprintf("%x", ignoredFlags)
+
+               addOpts := mountFlagsToOpts(flags)
 
                fuseSource := fmt.Sprintf("%s#%s", fuseBinary, args.source)
                fuseOpts := ""
diff --git a/lxd/seccomp/seccomp_test.go b/lxd/seccomp/seccomp_test.go
new file mode 100644
index 0000000000..6d46dd797b
--- /dev/null
+++ b/lxd/seccomp/seccomp_test.go
@@ -0,0 +1,21 @@
+// +build linux
+// +build cgo
+
+package seccomp
+
+import (
+       "fmt"
+       "testing"
+)
+
+func TestMountFlagsToOpts(t *testing.T) {
+       opts := mountFlagsToOpts(knownFlags)
+       if opts != 
"ro,nosuid,nodev,noexec,sync,remount,mand,noatime,nodiratime,bind,strictatime,lazytime"
 {
+               t.Fatal(fmt.Errorf("Mount options parsing failed with invalid 
option string: %s", opts))
+       }
+
+       opts = mountFlagsToOpts(knownFlagsRecursive)
+       if opts != 
"ro,nosuid,nodev,noexec,sync,remount,mand,noatime,nodiratime,rbind,strictatime,lazytime"
 {
+               t.Fatal(fmt.Errorf("Mount options parsing failed with invalid 
option string: %s", opts))
+       }
+}

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] seccomp: test flag parsing and log ignored flags

Reply via email to