Fix seccomp profile on attach of undefined container

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 436ae7a56a9e1c031737e599620733d09b3cc3ce..13989e863d79ccf4f60826f5d7eb73e4600431e9 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -661,6 +661,7 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
                struct lxc_proc_context_info *i, lxc_attach_options_t *options)
 {
        struct lxc_container *c;
+       char *path;
 
        if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
                return true;
@@ -669,8 +670,26 @@ static bool fetch_seccomp(const char *name, const char *lxcpath,
        if (!c)
                return false;
        i->container = c;
-       if (!c->lxc_conf)
+
+       /* Initialize an empty lxc_conf */
+       if (!c->set_config_item(c, "lxc.seccomp", "")) {
                return false;
+       }
+
+       /* Fetch the current profile path over the cmd interface */
+       path = c->get_running_config_item(c, "lxc.seccomp");
+       if (!path) {
+               return true;
+       }
+
+       /* Copy the value into the new lxc_conf */
+       if (!c->set_config_item(c, "lxc.seccomp", path)) {
+               free(path);
+               return false;
+       }
+       free(path);
+
+       /* Attempt to parse the resulting config */
        if (lxc_read_seccomp_config(c->lxc_conf) < 0) {
                ERROR("Error reading seccomp policy");
                return false;