attach: move loading seccomp as late as possible

We want to minimize the change that the profile blocks syscalls we need during
attach setup and has the notifier enabled.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 543f8b7792fbc529d6f05ac68911c0176c5c596e..5f8114b2f55b0e3ebc0d845e31a90b570343bf86 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1130,18 +1130,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
                TRACE("Set PR_SET_NO_NEW_PRIVS");
        }
 
-       if (conf->seccomp.seccomp) {
-               ret = lxc_seccomp_load(conf);
-               if (ret < 0)
-                       goto on_error;
-
-               TRACE("Loaded seccomp profile");
-
-               ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
-               if (ret < 0)
-                       goto on_error;
-       }
-
        /* The following is done after the communication socket is shut down.
         * That way, all errors that might (though unlikely) occur up until this
         * point will have their messages printed to the original stderr (if
@@ -1210,6 +1198,18 @@ __noreturn static void do_attach(struct attach_payload *ap)
        if (ret)
                INFO("Failed to adjust stdio permissions");
 
+       if (conf->seccomp.seccomp) {
+               ret = lxc_seccomp_load(conf);
+               if (ret < 0)
+                       goto on_error;
+
+               TRACE("Loaded seccomp profile");
+
+               ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
+               if (ret < 0)
+                       goto on_error;
+       }
+
        if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
                goto on_error;