[lxc-devel] [lxd/master] seccomp: make device number checking more robust

[brauner on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6823

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
So it also does the same stuff that the kernel does.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>

From 22d5807dc21ea3ef7c288b056881cda7c5b29dee Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Sat, 1 Feb 2020 16:09:28 +0100
Subject: [PATCH] seccomp: make device number checking more robust

So it also does the same stuff that the kernel does.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 lxd/seccomp/seccomp.go | 42 +++++++++++++++++++-----------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index b9695b792a..be44754a99 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -88,29 +88,25 @@ static int seccomp_notify_get_sizes(struct 
seccomp_notif_sizes *sizes)
 
 static int device_allowed(dev_t dev, mode_t mode)
 {
-       if ((dev == makedev(0, 0)) && (mode & S_IFCHR)) // whiteout
-               return 0;
-
-       if ((dev == makedev(5, 1)) && (mode & S_IFCHR)) // /dev/console
-               return 0;
-
-       if ((dev == makedev(1, 7)) && (mode & S_IFCHR)) // /dev/full
-               return 0;
-
-       if ((dev == makedev(1, 3)) && (mode & S_IFCHR)) // /dev/null
-               return 0;
-
-       if ((dev == makedev(1, 8)) && (mode & S_IFCHR)) // /dev/random
-               return 0;
-
-       if ((dev == makedev(5, 0)) && (mode & S_IFCHR)) // /dev/tty
-               return 0;
-
-       if ((dev == makedev(1, 9)) && (mode & S_IFCHR)) // /dev/urandom
-               return 0;
-
-       if ((dev == makedev(1, 5)) && (mode & S_IFCHR)) // /dev/zero
-               return 0;
+       switch (mode & S_IFMT) {
+       case S_IFCHR:
+               if ((dev == makedev(0, 0))) // whiteout
+                       return 0;
+               else if ((dev == makedev(5, 1))) // /dev/console
+                       return 0;
+               else if ((dev == makedev(1, 7))) // /dev/full
+                       return 0;
+               else if ((dev == makedev(1, 3))) // /dev/null
+                       return 0;
+               else if ((dev == makedev(1, 8))) // /dev/random
+                       return 0;
+               else if ((dev == makedev(5, 0))) // /dev/tty
+                       return 0;
+               else if ((dev == makedev(1, 9))) // /dev/urandom
+                       return 0;
+               else if ((dev == makedev(1, 5))) // /dev/zero
+                       return 0;
+       }
 
        return -EPERM;
 }

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel