From bd7b4e282bf9eda97578f3a853a994301cef918e Mon Sep 17 00:00:00 2001 From: =?utf8?q?St=C3=A9phane=20Graber?= Date: Thu, 10 Dec 2015 18:58:58 -0500 Subject: [PATCH] Fix seccomp profile on attach of undefined container MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber Acked-by: Serge Hallyn --- src/lxc/attach.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 436ae7a56..13989e863 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -661,6 +661,7 @@ static bool fetch_seccomp(const char *name, const char *lxcpath, struct lxc_proc_context_info *i, lxc_attach_options_t *options) { struct lxc_container *c; + char *path; if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) return true; @@ -669,8 +670,26 @@ static bool fetch_seccomp(const char *name, const char *lxcpath, if (!c) return false; i->container = c; - if (!c->lxc_conf) + + /* Initialize an empty lxc_conf */ + if (!c->set_config_item(c, "lxc.seccomp", "")) { return false; + } + + /* Fetch the current profile path over the cmd interface */ + path = c->get_running_config_item(c, "lxc.seccomp"); + if (!path) { + return true; + } + + /* Copy the value into the new lxc_conf */ + if (!c->set_config_item(c, "lxc.seccomp", path)) { + free(path); + return false; + } + free(path); + + /* Attempt to parse the resulting config */ if (lxc_read_seccomp_config(c->lxc_conf) < 0) { ERROR("Error reading seccomp policy"); return false; -- 2.47.3