]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
support new libseccomp api
authorSerge Hallyn <serge.hallyn@ubuntu.com>
Tue, 11 Dec 2012 17:40:02 +0000 (11:40 -0600)
committerSerge Hallyn <serge.hallyn@ubuntu.com>
Tue, 11 Dec 2012 18:33:40 +0000 (12:33 -0600)
Detect the new api by existence in seccomp.h of the scmp_filter_ctx
type in configure.ac.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
configure.ac
src/lxc/conf.c
src/lxc/conf.h
src/lxc/lxcseccomp.h
src/lxc/seccomp.c

index ef321ce47f9f9865c297d4cc078bee151745af1a..bdfcacf394c38597210f4e1f8d5cb78757c62549 100644 (file)
@@ -115,6 +115,9 @@ AM_COND_IF([ENABLE_SECCOMP],
      AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])
      AC_SUBST([SECCOMP_LIBS], [-lseccomp])])
 
+# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
+AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include <seccomp.h>])
+
 AM_CONDITIONAL([ENABLE_DOCBOOK], [test "x$db2xman" != "x"])
 
 AC_ARG_ENABLE([examples],
index 5173aaf609c24b4cffb3398a1a3a190ece2a6d11..7e44c3ce3e54b14a73bf2d50972f6f58b69f81c1 100644 (file)
@@ -66,6 +66,8 @@
 #include <apparmor.h>
 #endif
 
+#include "lxcseccomp.h"
+
 lxc_log_define(lxc_conf, lxc);
 
 #define MAXHWLEN    18
@@ -2760,8 +2762,7 @@ void lxc_conf_free(struct lxc_conf *conf)
        if (conf->aa_profile)
                free(conf->aa_profile);
 #endif
-       if (conf->seccomp)
-               free(conf->seccomp);
+       lxc_seccomp_free(conf);
        lxc_clear_config_caps(conf);
        lxc_clear_cgroups(conf, "lxc.cgroup");
        lxc_clear_hooks(conf, "lxc.hook");
index 3f6181f32b738a4de9e1dd81dd91d5dc376dd1d8..ca4dbc211d52bc61a64fe3dce6f0e1d074301445 100644 (file)
 
 #include <lxc/start.h> /* for lxc_handler */
 
+#if HAVE_SCMP_FILTER_CTX
+typedef void * scmp_filter_ctx;
+#endif
+
 enum {
        LXC_NET_EMPTY,
        LXC_NET_VETH,
@@ -246,6 +250,9 @@ struct lxc_conf {
        int lsm_umount_proc;
 #endif
        char *seccomp;  // filename with the seccomp rules
+#if HAVE_SCMP_FILTER_CTX
+       scmp_filter_ctx *seccomp_ctx;
+#endif
        int maincmd_fd;
        int autodev;  // if 1, mount and fill a /dev at start
 };
index 00262a52cbe530512f40b1da3ab1966b233c779a..4f146dd2bfd827c575b721aa6a0c9bf4c3ce7332 100644 (file)
@@ -28,6 +28,7 @@
 #ifdef HAVE_SECCOMP
 int lxc_seccomp_load(struct lxc_conf *conf);
 int lxc_read_seccomp_config(struct lxc_conf *conf);
+void lxc_seccomp_free(struct lxc_conf *conf);
 #else
 static inline int lxc_seccomp_load(struct lxc_conf *conf) {
        return 0;
@@ -36,6 +37,13 @@ static inline int lxc_seccomp_load(struct lxc_conf *conf) {
 static inline int lxc_read_seccomp_config(struct lxc_conf *conf) {
        return 0;
 }
+
+static inline void lxc_seccomp_free(struct lxc_conf *conf) {
+       if (conf->seccomp) {
+               free(conf->seccomp);
+               conf->seccomp = NULL;
+       }
+}
 #endif
 
 #endif
index f2c5d00e51583059b35fca9f754b4627dcda87d9..2f0b447085b9f0b7c2d6afecec12ec13db73c6b2 100644 (file)
@@ -27,6 +27,7 @@
 #include <seccomp.h>
 #include <errno.h>
 #include <seccomp.h>
+#include "config.h"
 #include "lxcseccomp.h"
 
 #include "log.h"
@@ -69,7 +70,11 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
                ret = sscanf(line, "%d", &nr);
                if (ret != 1)
                        return -1;
-               ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);
+               ret = seccomp_rule_add(
+#if HAVE_SCMP_FILTER_CTX
+                       conf->seccomp_ctx,
+#endif
+                       SCMP_ACT_ALLOW, nr, 0);
                if (ret < 0) {
                        ERROR("failed loading allow rule for %d\n", nr);
                        return ret;
@@ -83,16 +88,28 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
        FILE *f;
        int ret;
 
-       if (seccomp_init(SCMP_ACT_ERRNO(31)) < 0)  { /* for debug, pass in SCMP_ACT_TRAP */
+       if (!conf->seccomp)
+               return 0;
+
+#if HAVE_SCMP_FILTER_CTX
+       /* XXX for debug, pass in SCMP_ACT_TRAP */
+       conf->seccomp_ctx = seccomp_init(SCMP_ACT_ERRNO(31));
+       ret = !conf->seccomp_ctx;
+#else
+       ret = seccomp_init(SCMP_ACT_ERRNO(31)) < 0;
+#endif
+       if (ret) {
                ERROR("failed initializing seccomp");
                return -1;
        }
-       if (!conf->seccomp)
-               return 0;
 
        /* turn of no-new-privs.  We don't want it in lxc, and it breaks
         * with apparmor */
-       if (seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0)) {
+       if (seccomp_attr_set(
+#if HAVE_SCMP_FILTER_CTX
+                       conf->seccomp_ctx,
+#endif
+                       SCMP_FLTATR_CTL_NNP, 0)) {
                ERROR("failed to turn off n-new-privs\n");
                return -1;
        }
@@ -112,10 +129,27 @@ int lxc_seccomp_load(struct lxc_conf *conf)
        int ret;
        if (!conf->seccomp)
                return 0;
-       ret = seccomp_load();
+       ret = seccomp_load(
+#if HAVE_SCMP_FILTER_CTX
+                       conf->seccomp_ctx
+#endif
+       );
        if (ret < 0) {
                ERROR("Error loading the seccomp policy");
                return -1;
        }
        return 0;
 }
+
+void lxc_seccomp_free(struct lxc_conf *conf) {
+       if (conf->seccomp) {
+               free(conf->seccomp);
+               conf->seccomp = NULL;
+       }
+#if HAVE_SCMP_FILTER_CTX
+       if (conf->seccomp_ctx) {
+               seccomp_release(conf->seccomp_ctx);
+               conf->seccomp_ctx = NULL;
+       }
+#endif
+}