From 65afdf08b5d7657534e9a143c370aafdf0ae8227 Mon Sep 17 00:00:00 2001 From: 0x0916 Date: Mon, 15 May 2017 18:03:41 +0800 Subject: [PATCH 1/3] seccomp: s/n-new-privs/no-new-privs/g Signed-off-by: 0x0916 --- src/lxc/seccomp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index b6a316f90..9ddae28e9 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -217,7 +217,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ return NULL; } if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) { - ERROR("Failed to turn off n-new-privs."); + ERROR("Failed to turn off no-new-privs."); seccomp_release(ctx); return NULL; } @@ -398,7 +398,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) return -1; } if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) { - ERROR("Failed to turn off n-new-privs."); + ERROR("Failed to turn off no-new-privs."); return -1; } #ifdef SCMP_FLTATR_ATL_TSKIP @@ -735,7 +735,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf) check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0); #endif if (check_seccomp_attr_set) { - ERROR("Failed to turn off n-new-privs."); + ERROR("Failed to turn off no-new-privs."); return -1; } #ifdef SCMP_FLTATR_ATL_TSKIP From 998cd2f4179d5d962fad8b195ca10679f4afbf97 Mon Sep 17 00:00:00 2001 From: 0x0916 Date: Mon, 15 May 2017 18:04:27 +0800 Subject: [PATCH 2/3] seccomp: update comment for function `parse_config` Signed-off-by: 0x0916 --- src/lxc/seccomp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 9ddae28e9..881a49885 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -631,9 +631,9 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) * The first line of the config file has a policy language version * the second line has some directives * then comes policy subject to the directives - * right now version must be '1' - * the directives must include 'whitelist' (only type of policy currently - * supported) and can include 'debug' (though debug is not yet supported). + * right now version must be '1' or '2' + * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist' + * (version == 2) and can include 'debug' (though debug is not yet supported). */ static int parse_config(FILE *f, struct lxc_conf *conf) { From 4836330b1a52545771bccc9e115b6c583f6aaf30 Mon Sep 17 00:00:00 2001 From: 0x0916 Date: Mon, 15 May 2017 18:05:09 +0800 Subject: [PATCH 3/3] seccomp: print action name in log This patch add function `get_action_name`, so we can print action name in the log file. for example: ``` lxc-start ubuntu 20170515095416.561 INFO lxc_seccomp - seccomp.c:parse_config_v2:613 - Adding compat rule for reject_force_umount action 0(kill). lxc-start ubuntu 20170515095416.562 INFO lxc_seccomp - seccomp.c:parse_config_v2:613 - Adding compat rule for kexec_load action 327681(errno). ``` Signed-off-by: 0x0916 --- src/lxc/seccomp.c | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 881a49885..9369c90bf 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -92,6 +92,23 @@ static uint32_t get_v2_default_action(char *line) return ret_action; } +static const char *get_action_name(uint32_t action) +{ + // The upper 16 bits indicate the type of the seccomp action + switch(action & 0xffff0000){ + case SCMP_ACT_KILL: + return "kill"; + case SCMP_ACT_ALLOW: + return "allow"; + case SCMP_ACT_TRAP: + return "trap"; + case SCMP_ACT_ERRNO(0): + return "errno"; + default: + return "invalid action"; + } +} + static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action) { char *p = strchr(line, ' '); @@ -281,8 +298,8 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, } ret = seccomp_rule_add_exact(ctx, action, nr, 0); if (ret < 0) { - ERROR("Failed (%d) loading rule for %s (nr %d action %d): %s.", - ret, line, nr, action, strerror(-ret)); + ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s.", + ret, line, nr, action, get_action_name(action), strerror(-ret)); return false; } return true; @@ -573,7 +590,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) if (cur_rule_arch == native_arch || cur_rule_arch == lxc_seccomp_arch_native || compat_arch[0] == SCMP_ARCH_NATIVE) { - INFO("Adding native rule for %s action %d.", line, action); + INFO("Adding native rule for %s action %d(%s).", line, action, + get_action_name(action)); if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action)) goto bad_rule; } @@ -582,15 +600,18 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) cur_rule_arch == lxc_seccomp_arch_mips64n32 || cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0; - INFO("Adding compat-only rule for %s action %d.", line, action); + INFO("Adding compat-only rule for %s action %d(%s).", line, action, + get_action_name(action)); if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], action)) goto bad_rule; } else { - INFO("Adding native rule for %s action %d.", line, action); + INFO("Adding native rule for %s action %d(%s).", line, action, + get_action_name(action)); if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action)) goto bad_rule; - INFO("Adding compat rule for %s action %d.", line, action); + INFO("Adding compat rule for %s action %d(%s).", line, action, + get_action_name(action)); if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], action)) goto bad_rule; if (compat_arch[1] != SCMP_ARCH_NATIVE &&