AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
AC_SUBST([SECCOMP_LIBS], [-lseccomp])])
+# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include <seccomp.h>])
+
AM_CONDITIONAL([ENABLE_DOCBOOK], [test "x$db2xman" != "x"])
AC_ARG_ENABLE([examples],
#include <apparmor.h>
#endif
+#include "lxcseccomp.h"
+
lxc_log_define(lxc_conf, lxc);
#define MAXHWLEN 18
if (conf->aa_profile)
free(conf->aa_profile);
#endif
- if (conf->seccomp)
- free(conf->seccomp);
+ lxc_seccomp_free(conf);
lxc_clear_config_caps(conf);
lxc_clear_cgroups(conf, "lxc.cgroup");
lxc_clear_hooks(conf, "lxc.hook");
#include <lxc/start.h> /* for lxc_handler */
+#if HAVE_SCMP_FILTER_CTX
+typedef void * scmp_filter_ctx;
+#endif
+
enum {
LXC_NET_EMPTY,
LXC_NET_VETH,
int lsm_umount_proc;
#endif
char *seccomp; // filename with the seccomp rules
+#if HAVE_SCMP_FILTER_CTX
+ scmp_filter_ctx *seccomp_ctx;
+#endif
int maincmd_fd;
int autodev; // if 1, mount and fill a /dev at start
};
#ifdef HAVE_SECCOMP
int lxc_seccomp_load(struct lxc_conf *conf);
int lxc_read_seccomp_config(struct lxc_conf *conf);
+void lxc_seccomp_free(struct lxc_conf *conf);
#else
static inline int lxc_seccomp_load(struct lxc_conf *conf) {
return 0;
static inline int lxc_read_seccomp_config(struct lxc_conf *conf) {
return 0;
}
+
+static inline void lxc_seccomp_free(struct lxc_conf *conf) {
+ if (conf->seccomp) {
+ free(conf->seccomp);
+ conf->seccomp = NULL;
+ }
+}
#endif
#endif
#include <seccomp.h>
#include <errno.h>
#include <seccomp.h>
+#include "config.h"
#include "lxcseccomp.h"
#include "log.h"
ret = sscanf(line, "%d", &nr);
if (ret != 1)
return -1;
- ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);
+ ret = seccomp_rule_add(
+#if HAVE_SCMP_FILTER_CTX
+ conf->seccomp_ctx,
+#endif
+ SCMP_ACT_ALLOW, nr, 0);
if (ret < 0) {
ERROR("failed loading allow rule for %d\n", nr);
return ret;
FILE *f;
int ret;
- if (seccomp_init(SCMP_ACT_ERRNO(31)) < 0) { /* for debug, pass in SCMP_ACT_TRAP */
+ if (!conf->seccomp)
+ return 0;
+
+#if HAVE_SCMP_FILTER_CTX
+ /* XXX for debug, pass in SCMP_ACT_TRAP */
+ conf->seccomp_ctx = seccomp_init(SCMP_ACT_ERRNO(31));
+ ret = !conf->seccomp_ctx;
+#else
+ ret = seccomp_init(SCMP_ACT_ERRNO(31)) < 0;
+#endif
+ if (ret) {
ERROR("failed initializing seccomp");
return -1;
}
- if (!conf->seccomp)
- return 0;
/* turn of no-new-privs. We don't want it in lxc, and it breaks
* with apparmor */
- if (seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0)) {
+ if (seccomp_attr_set(
+#if HAVE_SCMP_FILTER_CTX
+ conf->seccomp_ctx,
+#endif
+ SCMP_FLTATR_CTL_NNP, 0)) {
ERROR("failed to turn off n-new-privs\n");
return -1;
}
int ret;
if (!conf->seccomp)
return 0;
- ret = seccomp_load();
+ ret = seccomp_load(
+#if HAVE_SCMP_FILTER_CTX
+ conf->seccomp_ctx
+#endif
+ );
if (ret < 0) {
ERROR("Error loading the seccomp policy");
return -1;
}
return 0;
}
+
+void lxc_seccomp_free(struct lxc_conf *conf) {
+ if (conf->seccomp) {
+ free(conf->seccomp);
+ conf->seccomp = NULL;
+ }
+#if HAVE_SCMP_FILTER_CTX
+ if (conf->seccomp_ctx) {
+ seccomp_release(conf->seccomp_ctx);
+ conf->seccomp_ctx = NULL;
+ }
+#endif
+}