From 0b427da0e7dad5d3637b20e8aaaf448d4bff41a3 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sun, 2 Jul 2017 12:56:01 +0200
Subject: [PATCH] confile: lxc.seccomp --> lxc.seccomp.profile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 config/templates/common.conf.in         |  2 +-
 config/templates/openwrt.common.conf.in |  2 +-
 config/templates/sabayon.common.conf.in |  2 +-
 doc/lxc.container.conf.sgml.in          |  2 +-
 src/lxc/attach.c                        | 13 +++++++++----
 src/lxc/confile.c                       | 21 +++++++++++++--------
 src/tests/parse_config_file.c           | 11 ++++++++++-
 7 files changed, 36 insertions(+), 17 deletions(-)

diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index e13d98a7f..c4b3bdcce 100644
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -48,7 +48,7 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
+lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp
 
 # Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
index 607bb5a3b..73db6f60b 100644
--- a/config/templates/openwrt.common.conf.in
+++ b/config/templates/openwrt.common.conf.in
@@ -47,4 +47,4 @@ lxc.cgroup.devices.allow = c 4:1 rwm
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
diff --git a/config/templates/sabayon.common.conf.in b/config/templates/sabayon.common.conf.in
index e14636635..ccb4c1236 100644
--- a/config/templates/sabayon.common.conf.in
+++ b/config/templates/sabayon.common.conf.in
@@ -73,7 +73,7 @@ lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
+lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp
 
 # Customize lxc options through common directory
 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index f283649e6..390f6c05c 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1328,7 +1328,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.seccomp</option>
+            <option>lxc.seccomp.profile</option>
           </term>
           <listitem>
             <para>
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 7cfca4342..096a281cc 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -691,19 +691,24 @@ static bool fetch_seccomp(struct lxc_container *c,
 	}
 
 	/* Remove current setting. */
-	if (!c->set_config_item(c, "lxc.seccomp", "")) {
+	if (!c->set_config_item(c, "lxc.seccomp", "") &&
+	    !c->set_config_item(c, "lxc.seccomp.profile", "")) {
 		return false;
 	}
 
 	/* Fetch the current profile path over the cmd interface. */
-	path = c->get_running_config_item(c, "lxc.seccomp");
+	path = c->get_running_config_item(c, "lxc.seccomp.profile");
 	if (!path) {
-		INFO("Failed to get running config item for lxc.seccomp.");
+		INFO("Failed to get running config item for lxc.seccomp.profile");
+		path = c->get_running_config_item(c, "lxc.seccomp");
+	}
+	if (!path) {
+		INFO("Failed to get running config item for lxc.seccomp");
 		return true;
 	}
 
 	/* Copy the value into the new lxc_conf. */
-	if (!c->set_config_item(c, "lxc.seccomp", path)) {
+	if (!c->set_config_item(c, "lxc.seccomp.profile", path)) {
 		free(path);
 		return false;
 	}
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 69bd4db98..5957df753 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -115,7 +115,7 @@ lxc_config_define(cap_drop);
 lxc_config_define(cap_keep);
 lxc_config_define(console_logfile);
 lxc_config_define(console_path);
-lxc_config_define(seccomp);
+lxc_config_define(seccomp_profile);
 lxc_config_define(includefiles);
 lxc_config_define(autodev);
 lxc_config_define(signal_halt);
@@ -248,10 +248,15 @@ static struct lxc_config_t config[] = {
 	{ "lxc.cap.keep",                  set_config_cap_keep,                    get_config_cap_keep,                    clr_config_cap_keep,                  },
 	{ "lxc.console.logfile",           set_config_console_logfile,             get_config_console_logfile,             clr_config_console_logfile,           },
 	{ "lxc.console.path",              set_config_console_path,                get_config_console_path,                clr_config_console_path,              },
-	{ "lxc.seccomp",                   set_config_seccomp,                     get_config_seccomp,                     clr_config_seccomp,                   },
+	{ "lxc.seccomp.profile",           set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
 	{ "lxc.include",                   set_config_includefiles,                get_config_includefiles,                clr_config_includefiles,              },
 	{ "lxc.autodev",                   set_config_autodev,                     get_config_autodev,                     clr_config_autodev,                   },
 
+	/* REMOVE IN LXC 3.0
+	   legacy seccomp key
+	 */
+	{ "lxc.seccomp",                   set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
+
 	/* REMOVE IN LXC 3.0
 	   legacy console key
 	 */
@@ -1062,8 +1067,8 @@ static int add_hook(struct lxc_conf *lxc_conf, int which, char *hook)
 	return 0;
 }
 
-static int set_config_seccomp(const char *key, const char *value,
-			      struct lxc_conf *lxc_conf, void *data)
+static int set_config_seccomp_profile(const char *key, const char *value,
+				      struct lxc_conf *lxc_conf, void *data)
 {
 	return set_config_path_item(&lxc_conf->seccomp, value);
 }
@@ -3185,8 +3190,8 @@ static int get_config_console_logfile(const char *key, char *retv, int inlen,
 	return lxc_get_conf_str(retv, inlen, c->console.log_path);
 }
 
-static int get_config_seccomp(const char *key, char *retv, int inlen,
-			      struct lxc_conf *c, void *data)
+static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
+				      struct lxc_conf *c, void *data)
 {
 	return lxc_get_conf_str(retv, inlen, c->seccomp);
 }
@@ -3544,8 +3549,8 @@ static inline int clr_config_console_logfile(const char *key,
 	return 0;
 }
 
-static inline int clr_config_seccomp(const char *key, struct lxc_conf *c,
-				     void *data)
+static inline int clr_config_seccomp_profile(const char *key,
+					     struct lxc_conf *c, void *data)
 {
 	free(c->seccomp);
 	c->seccomp = NULL;
diff --git a/src/tests/parse_config_file.c b/src/tests/parse_config_file.c
index 5550d96c9..ce3218755 100644
--- a/src/tests/parse_config_file.c
+++ b/src/tests/parse_config_file.c
@@ -678,13 +678,22 @@ int main(int argc, char *argv[])
 		goto non_test_error;
 	}
 
-	/* lxc.seccomp */
+	/* REMOVE IN LXC 3.0
+	   legacy seccomp key
+	 */
 	if (set_get_compare_clear_save_load(
 		c, "lxc.seccomp", "/some/seccomp/file", tmpf, true) < 0) {
 		lxc_error("%s\n", "lxc.seccomp");
 		goto non_test_error;
 	}
 
+	/* lxc.seccomp.profile */
+	if (set_get_compare_clear_save_load(
+		c, "lxc.seccomp.profile", "/some/seccomp/file", tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.seccomp.profile");
+		goto non_test_error;
+	}
+
 	/* lxc.autodev */
 	if (set_get_compare_clear_save_load(c, "lxc.autodev", "1", tmpf, true) <
 	    0) {
-- 
2.47.2