proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-15 04:09:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1563 from 0x0916/seccomp

Browse Source 
Seccomp: update comment, print action name etc
This commit is contained in:
Christian Brauner 2017-05-15 17:55:55 +02:00 committed by GitHub
commit bf2146ab37
1 changed files with 33 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/lxc/seccomp.c
View File

@ -92,6 +92,23 @@ static uint32_t get_v2_default_action(char *line)
return ret_action; return ret_action;
} }
static const char *get_action_name(uint32_t action)
{
// The upper 16 bits indicate the type of the seccomp action
switch(action & 0xffff0000){
case SCMP_ACT_KILL:
return "kill";
case SCMP_ACT_ALLOW:
return "allow";
case SCMP_ACT_TRAP:
return "trap";
case SCMP_ACT_ERRNO(0):
return "errno";
default:
return "invalid action";
}
}
static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action) static uint32_t get_and_clear_v2_action(char *line, uint32_t def_action)
{ {
char *p = strchr(line, ' '); char *p = strchr(line, ' ');
@ -217,7 +234,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
return NULL; return NULL;
} }
if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) { if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
ERROR("Failed to turn off n-new-privs."); ERROR("Failed to turn off no-new-privs.");
seccomp_release(ctx); seccomp_release(ctx);
return NULL; return NULL;
} }
@ -281,8 +298,8 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
} }
ret = seccomp_rule_add_exact(ctx, action, nr, 0); ret = seccomp_rule_add_exact(ctx, action, nr, 0);
if (ret < 0) { if (ret < 0) {
ERROR("Failed (%d) loading rule for %s (nr %d action %d): %s.", ERROR("Failed (%d) loading rule for %s (nr %d action %d(%s)): %s.",
ret, line, nr, action, strerror(-ret)); ret, line, nr, action, get_action_name(action), strerror(-ret));
return false; return false;
} }
return true; return true;
@ -398,7 +415,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
return -1; return -1;
} }
if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) { if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
ERROR("Failed to turn off n-new-privs."); ERROR("Failed to turn off no-new-privs.");
return -1; return -1;
} }
#ifdef SCMP_FLTATR_ATL_TSKIP #ifdef SCMP_FLTATR_ATL_TSKIP
@ -573,7 +590,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (cur_rule_arch == native_arch || if (cur_rule_arch == native_arch ||
cur_rule_arch == lxc_seccomp_arch_native || cur_rule_arch == lxc_seccomp_arch_native ||
compat_arch[0] == SCMP_ARCH_NATIVE) { compat_arch[0] == SCMP_ARCH_NATIVE) {
INFO("Adding native rule for %s action %d.", line, action); INFO("Adding native rule for %s action %d(%s).", line, action,
get_action_name(action));
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action)) if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule; goto bad_rule;
} }
@ -582,15 +600,18 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
cur_rule_arch == lxc_seccomp_arch_mips64n32 || cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0; cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0;
INFO("Adding compat-only rule for %s action %d.", line, action); INFO("Adding compat-only rule for %s action %d(%s).", line, action,
get_action_name(action));
if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], action)) if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], action))
goto bad_rule; goto bad_rule;
} }
else { else {
INFO("Adding native rule for %s action %d.", line, action); INFO("Adding native rule for %s action %d(%s).", line, action,
get_action_name(action));
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action)) if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule; goto bad_rule;
INFO("Adding compat rule for %s action %d.", line, action); INFO("Adding compat rule for %s action %d(%s).", line, action,
get_action_name(action));
if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], action)) if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], action))
goto bad_rule; goto bad_rule;
if (compat_arch[1] != SCMP_ARCH_NATIVE && if (compat_arch[1] != SCMP_ARCH_NATIVE &&
@ -631,9 +652,9 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
* The first line of the config file has a policy language version * The first line of the config file has a policy language version
* the second line has some directives * the second line has some directives
* then comes policy subject to the directives * then comes policy subject to the directives
* right now version must be '1' * right now version must be '1' or '2'
* the directives must include 'whitelist' (only type of policy currently * the directives must include 'whitelist'(version == 1 or 2) or 'blacklist'
* supported) and can include 'debug' (though debug is not yet supported). * (version == 2) and can include 'debug' (though debug is not yet supported).
*/ */
static int parse_config(FILE *f, struct lxc_conf *conf) static int parse_config(FILE *f, struct lxc_conf *conf)
{ {
@ -735,7 +756,7 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0); check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
#endif #endif
if (check_seccomp_attr_set) { if (check_seccomp_attr_set) {
ERROR("Failed to turn off n-new-privs."); ERROR("Failed to turn off no-new-privs.");
return -1; return -1;
} }
#ifdef SCMP_FLTATR_ATL_TSKIP #ifdef SCMP_FLTATR_ATL_TSKIP