v2 is now merged. Bruce
On Sat, Sep 4, 2021 at 11:54 AM sana kazi <[email protected]> wrote: > > Enabled seccomp support for lxc. > Also added a patch to enable seccomp.profile only when compiled with > libseccomp. Currently, seccomp.profile is silently ignored. This > could lead to the false impression that the seccomp filter is > applied while it actually isn't. > > Signed-off-by: Sana Kazi <[email protected]> > --- > ...omp_profile_when_compiled_libseccomp.patch | 46 +++++++++++++++++++ > recipes-containers/lxc/lxc_4.0.9.bb | 2 + > 2 files changed, 48 insertions(+) > create mode 100644 > recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch > > diff --git > a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch > > b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch > new file mode 100644 > index 0000000..f0a5813 > --- /dev/null > +++ > b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch > @@ -0,0 +1,46 @@ > +From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001 > +From: Maximilian Blenk <[email protected]> > +Date: Mon, 23 Aug 2021 22:04:40 +0200 > +Subject: [PATCH] config: enable seccomp profile only when compiled with > + libseccomp > + > +Make lxc fail if seccomp.profile is specified but lxc is compiled > +without seccomp support. Currently, seccomp.profile is silently ignored > +if is specified in such a scenario. This could lead to the false > +impression that the seccomp filter is applied while it actually isn't. > + > +Signed-off-by: Maximilian Blenk <[email protected]> > +--- > + src/lxc/confile.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +Upstream-Status: Submitted > [https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e] > + > +diff --git a/src/lxc/confile.c b/src/lxc/confile.c > +index d8b96c6921..1cc8da15f1 100644 > +--- a/src/lxc/confile.c > ++++ b/src/lxc/confile.c > +@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char > *key, const char *value, > + static int set_config_seccomp_profile(const char *key, const char *value, > + struct lxc_conf *lxc_conf, void *data) > + { > ++#ifdef HAVE_SECCOMP > + return set_config_path_item(&lxc_conf->seccomp.seccomp, value); > ++#else > ++ return ret_set_errno(-1, ENOSYS); > ++#endif > + } > + > + static int set_config_execute_cmd(const char *key, const char *value, > +@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char > *key, char *retv, int inle > + static int get_config_seccomp_profile(const char *key, char *retv, int > inlen, > + struct lxc_conf *c, void *data) > + { > ++#ifdef HAVE_SECCOMP > + return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp); > ++#else > ++ return ret_errno(ENOSYS); > ++#endif > + } > + > + static int get_config_autodev(const char *key, char *retv, int inlen, > diff --git a/recipes-containers/lxc/lxc_4.0.9.bb > b/recipes-containers/lxc/lxc_4.0.9.bb > index 0ef81a5..6720733 100644 > --- a/recipes-containers/lxc/lxc_4.0.9.bb > +++ b/recipes-containers/lxc/lxc_4.0.9.bb > @@ -49,6 +49,7 @@ SRC_URI = > "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \ > file://tests-add-no-validate-when-using-download-template.patch \ > file://dnsmasq.conf \ > file://lxc-net \ > + file://enable_seccomp_profile_when_compiled_libseccomp.patch \ > " > > SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07" > @@ -72,6 +73,7 @@ EXTRA_OECONF += "--enable-log-src-basename --disable-werror" > PACKAGECONFIG ??= "templates \ > ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \ > ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \ > + ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \ > " > PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc > --disable-api-docs,," > PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,," > -- > 2.17.1 > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6760): https://lists.yoctoproject.org/g/meta-virtualization/message/6760 Mute This Topic: https://lists.yoctoproject.org/mt/85375739/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
