attach: try to use the container's seccomp policy

We can't get the actual policy (in the case where the policy file
has changed) from the container, but at least we can use the
seccomp policy file listed in the container config file.

(If anyone wants to further improve this, it may be better to get
the seccomp policy over the cmd api;  not sure that's what we want,
and this seems simpler to hook into the existing code, so I went
this way for now)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index a59dae33088ff0acf7e0a9793d252cebdf0044a7..31a5ae7b11fde379e1b0e47125e8607ddf0195a8 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -51,6 +51,9 @@
 #include "commands.h"
 #include "cgroup.h"
 #include "lxclock.h"
+#include "conf.h"
+#include "lxcseccomp.h"
+#include <lxc/lxccontainer.h>
 #include "lsm/lsm.h"
 
 #if HAVE_SYS_PERSONALITY_H
@@ -135,6 +138,8 @@ static void lxc_proc_put_context_info(struct lxc_proc_context_info *ctx)
 {
        if (ctx->lsm_label)
                free(ctx->lsm_label);
+       if (ctx->container)
+               lxc_container_put(ctx->container);
        free(ctx);
 }
 
@@ -593,6 +598,28 @@ static int attach_child_main(void* data);
 /* define default options if no options are supplied by the user */
 static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
 
+static bool fetch_seccomp(const char *name, const char *lxcpath,
+               struct lxc_proc_context_info *i, lxc_attach_options_t *options)
+{
+       struct lxc_container *c;
+       
+       if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+               return true;
+
+       c = lxc_container_new(name, lxcpath);
+       if (!c)
+               return false;
+       i->container = c;
+       if (!c->lxc_conf)
+               return false;
+       if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
+               ERROR("Error reaading seccomp policy");
+               return false;
+       }
+
+       return true;
+}
+
 int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_function, void* exec_payload, lxc_attach_options_t* options, pid_t* attached_process)
 {
        int ret, status;
@@ -617,6 +644,9 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
                return -1;
        }
 
+       if (!fetch_seccomp(name, lxcpath, init_ctx, options))
+               WARN("Failed to get seccomp policy");
+
        cwd = getcwd(NULL, 0);
 
        /* determine which namespaces the container was created with
@@ -993,6 +1023,13 @@ static int attach_child_main(void* data)
                        rexit(-1);
                }
        }
+
+       if (init_ctx->container && init_ctx->container->lxc_conf &&
+                       lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+               ERROR("Loading seccomp policy");
+               rexit(-1);
+       }
+
        lxc_proc_put_context_info(init_ctx);
 
        /* The following is done after the communication socket is

diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 3d10777e75d45ea2b2bf3c5b856c3325541319fe..8c833b16fdd4cffa5e625d3a53218ca402dd0e35 100644 (file)
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -27,8 +27,11 @@
 #include <sys/types.h>
 #include <lxc/attach_options.h>
 
+struct lxc_conf;
+
 struct lxc_proc_context_info {
        char *lsm_label;
+       struct lxc_container *container;
        unsigned long personality;
        unsigned long long capability_mask;
 };