From: sana kazi <[email protected]> Enabled seccomp support for lxc. Also added a patch to enable seccomp.profile only when compiled with libseccomp. Currently, seccomp.profile is silently ignored. This could lead to the false impression that the seccomp filter is applied while it actually isn't.
Signed-off-by: Sana Kazi <[email protected]> Signed-off-by: Bruce Ashfield <[email protected]> (cherry picked from commit 88a8ccb980038b2b91056f7df7fe96bbcc2744d8) Signed-off-by: virendra thakur <[email protected]> --- ...omp_profile_when_compiled_libseccomp.patch | 46 +++++++++++++++++++ recipes-containers/lxc/lxc_4.0.9.bb | 2 + 2 files changed, 48 insertions(+) create mode 100644 recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch diff --git a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch new file mode 100644 index 0000000..f0a5813 --- /dev/null +++ b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch @@ -0,0 +1,46 @@ +From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001 +From: Maximilian Blenk <[email protected]> +Date: Mon, 23 Aug 2021 22:04:40 +0200 +Subject: [PATCH] config: enable seccomp profile only when compiled with + libseccomp + +Make lxc fail if seccomp.profile is specified but lxc is compiled +without seccomp support. Currently, seccomp.profile is silently ignored +if is specified in such a scenario. This could lead to the false +impression that the seccomp filter is applied while it actually isn't. + +Signed-off-by: Maximilian Blenk <[email protected]> +--- + src/lxc/confile.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Upstream-Status: Submitted [ https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e ] + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index d8b96c6921..1cc8da15f1 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value, + static int set_config_seccomp_profile(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) + { ++#ifdef HAVE_SECCOMP + return set_config_path_item(&lxc_conf->seccomp.seccomp, value); ++#else ++ return ret_set_errno(-1, ENOSYS); ++#endif + } + + static int set_config_execute_cmd(const char *key, const char *value, +@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inle + static int get_config_seccomp_profile(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { ++#ifdef HAVE_SECCOMP + return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp); ++#else ++ return ret_errno(ENOSYS); ++#endif + } + + static int get_config_autodev(const char *key, char *retv, int inlen, diff --git a/recipes-containers/lxc/lxc_4.0.9.bb b/recipes-containers/lxc/ lxc_4.0.9.bb index 7907291..8b165e2 100644 --- a/recipes-containers/lxc/lxc_4.0.9.bb +++ b/recipes-containers/lxc/lxc_4.0.9.bb @@ -49,6 +49,7 @@ SRC_URI = " http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \ file://tests-add-no-validate-when-using-download-template.patch \ file://dnsmasq.conf \ file://lxc-net \ + file://enable_seccomp_profile_when_compiled_libseccomp.patch \ " SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07" @@ -72,6 +73,7 @@ EXTRA_OECONF += "--enable-log-src-basename --disable-werror" PACKAGECONFIG ??= "templates \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \ " PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc --disable-api-docs,," PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,," -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8066): https://lists.yoctoproject.org/g/meta-virtualization/message/8066 Mute This Topic: https://lists.yoctoproject.org/mt/99008009/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
