tools: fix lxc-attach regression with -s USER

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index c7414105044d981904a2a2f3812c7335d304faba..99b07fa429a1a6191726821c1c2d49902c2fe600 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -665,16 +665,16 @@ static int attach_child_main(void* data);
 /* define default options if no options are supplied by the user */
 static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
 
-static bool fetch_seccomp(struct lxc_proc_context_info *i,
+static bool fetch_seccomp(struct lxc_container *c,
                          lxc_attach_options_t *options)
 {
-       struct lxc_container *c;
        char *path;
 
-       if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+       if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) {
+               free(c->lxc_conf->seccomp);
+               c->lxc_conf->seccomp = NULL;
                return true;
-
-       c = i->container;
+       }
 
        /* Remove current setting. */
        if (!c->set_config_item(c, "lxc.seccomp", "")) {
@@ -684,6 +684,7 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
        /* Fetch the current profile path over the cmd interface */
        path = c->get_running_config_item(c, "lxc.seccomp");
        if (!path) {
+               INFO("Failed to get running config item for lxc.seccomp.");
                return true;
        }
 
@@ -704,14 +705,11 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
        return true;
 }
 
-static bool no_new_privs(struct lxc_proc_context_info *ctx,
+static bool no_new_privs(struct lxc_container *c,
                         lxc_attach_options_t *options)
 {
-       struct lxc_container *c;
        char *val;
 
-       c = ctx->container;
-
        /* Remove current setting. */
        if (!c->set_config_item(c, "lxc.no_new_privs", "")) {
                return false;
@@ -784,10 +782,10 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
        if (!init_ctx->container)
                return -1;
 
-       if (!fetch_seccomp(init_ctx, options))
+       if (!fetch_seccomp(init_ctx->container, options))
                WARN("Failed to get seccomp policy");
 
-       if (!no_new_privs(init_ctx, options))
+       if (!no_new_privs(init_ctx->container, options))
                WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
 
        cwd = getcwd(NULL, 0);
@@ -1211,9 +1209,9 @@ static int attach_child_main(void* data)
                        rexit(-1);
                }
        }
-
        if (init_ctx->container && init_ctx->container->lxc_conf &&
-                       lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+           init_ctx->container->lxc_conf->seccomp &&
+           (lxc_seccomp_load(init_ctx->container->lxc_conf) != 0)) {
                ERROR("Loading seccomp policy");
                rexit(-1);
        }

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 5069730d67b0a1bb4ca63d7bc33a473c13e4e763..ccffa9f8781c6dad0c7ea5655457cf815576e35a 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -748,7 +748,7 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 #endif
            );
        if (ret < 0) {
-               ERROR("Error loading the seccomp policy.");
+               ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
                return -1;
        }
        return 0;