All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-virtualization][master][PATCH] lxc: Enable seccomp support for lxc
@ 2021-09-03  5:47 sana kazi
  2021-09-03 12:34 ` Bruce Ashfield
  0 siblings, 1 reply; 2+ messages in thread
From: sana kazi @ 2021-09-03  5:47 UTC (permalink / raw)
  To: meta-virtualization; +Cc: nishaparrakat, purushottamchoudhary29

Enabled seccomp support for lxc.
Also added a patch to enable seccomp.profile only when compiled with
libseccomp. Currently, seccomp.profile is silently ignored. This
could lead to the false impression that the seccomp filter is
applied while it actually isn't.

Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
---
 ...omp_profile_when_compiled_libseccomp.patch | 46 +++++++++++++++++++
 recipes-containers/lxc/lxc_4.0.9.bb           |  3 +-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch

diff --git a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
new file mode 100644
index 0000000..f0a5813
--- /dev/null
+++ b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
@@ -0,0 +1,46 @@
+From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Mon, 23 Aug 2021 22:04:40 +0200
+Subject: [PATCH] config: enable seccomp profile only when compiled with
+ libseccomp
+
+Make lxc fail if seccomp.profile is specified but lxc is compiled
+without seccomp support. Currently, seccomp.profile is silently ignored
+if is specified in such a scenario. This could lead to the false
+impression that the seccomp filter is applied while it actually isn't.
+
+Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+---
+ src/lxc/confile.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Upstream-Status: Submitted [https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e]
+
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index d8b96c6921..1cc8da15f1 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value,
+ static int set_config_seccomp_profile(const char *key, const char *value,
+ 				      struct lxc_conf *lxc_conf, void *data)
+ {
++#ifdef HAVE_SECCOMP
+ 	return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
++#else
++	return ret_set_errno(-1, ENOSYS);
++#endif
+ }
+ 
+ static int set_config_execute_cmd(const char *key, const char *value,
+@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inle
+ static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
+ 				      struct lxc_conf *c, void *data)
+ {
++#ifdef HAVE_SECCOMP
+ 	return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
++#else
++	return ret_errno(ENOSYS);
++#endif
+ }
+ 
+ static int get_config_autodev(const char *key, char *retv, int inlen,
diff --git a/recipes-containers/lxc/lxc_4.0.9.bb b/recipes-containers/lxc/lxc_4.0.9.bb
index 0ef81a5..1fd3ea5 100644
--- a/recipes-containers/lxc/lxc_4.0.9.bb
+++ b/recipes-containers/lxc/lxc_4.0.9.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \
 	file://tests-add-no-validate-when-using-download-template.patch \
 	file://dnsmasq.conf \
 	file://lxc-net \
+        file://enable_seccomp_profile_when_compiled_libseccomp.patch \
 	"
 
 SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07"
@@ -69,7 +70,7 @@ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
 EXTRA_OECONF += "--enable-log-src-basename --disable-werror"
 
-PACKAGECONFIG ??= "templates \
+PACKAGECONFIG ??= "templates seccomp \
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \
 "
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [meta-virtualization][master][PATCH] lxc: Enable seccomp support for lxc
  2021-09-03  5:47 [meta-virtualization][master][PATCH] lxc: Enable seccomp support for lxc sana kazi
@ 2021-09-03 12:34 ` Bruce Ashfield
  0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2021-09-03 12:34 UTC (permalink / raw)
  To: sana kazi; +Cc: meta-virtualization, nishaparrakat, purushottamchoudhary29

On Fri, Sep 3, 2021 at 1:47 AM sana kazi <sanakazisk19@gmail.com> wrote:
>
> Enabled seccomp support for lxc.
> Also added a patch to enable seccomp.profile only when compiled with
> libseccomp. Currently, seccomp.profile is silently ignored. This
> could lead to the false impression that the seccomp filter is
> applied while it actually isn't.
>
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> ---
>  ...omp_profile_when_compiled_libseccomp.patch | 46 +++++++++++++++++++
>  recipes-containers/lxc/lxc_4.0.9.bb           |  3 +-
>  2 files changed, 48 insertions(+), 1 deletion(-)
>  create mode 100644 recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
>
> diff --git a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
> new file mode 100644
> index 0000000..f0a5813
> --- /dev/null
> +++ b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
> @@ -0,0 +1,46 @@
> +From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001
> +From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> +Date: Mon, 23 Aug 2021 22:04:40 +0200
> +Subject: [PATCH] config: enable seccomp profile only when compiled with
> + libseccomp
> +
> +Make lxc fail if seccomp.profile is specified but lxc is compiled
> +without seccomp support. Currently, seccomp.profile is silently ignored
> +if is specified in such a scenario. This could lead to the false
> +impression that the seccomp filter is applied while it actually isn't.
> +
> +Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> +---
> + src/lxc/confile.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +Upstream-Status: Submitted [https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e]
> +
> +diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> +index d8b96c6921..1cc8da15f1 100644
> +--- a/src/lxc/confile.c
> ++++ b/src/lxc/confile.c
> +@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value,
> + static int set_config_seccomp_profile(const char *key, const char *value,
> +                                     struct lxc_conf *lxc_conf, void *data)
> + {
> ++#ifdef HAVE_SECCOMP
> +       return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
> ++#else
> ++      return ret_set_errno(-1, ENOSYS);
> ++#endif
> + }
> +
> + static int set_config_execute_cmd(const char *key, const char *value,
> +@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inle
> + static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
> +                                     struct lxc_conf *c, void *data)
> + {
> ++#ifdef HAVE_SECCOMP
> +       return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
> ++#else
> ++      return ret_errno(ENOSYS);
> ++#endif
> + }
> +
> + static int get_config_autodev(const char *key, char *retv, int inlen,
> diff --git a/recipes-containers/lxc/lxc_4.0.9.bb b/recipes-containers/lxc/lxc_4.0.9.bb
> index 0ef81a5..1fd3ea5 100644
> --- a/recipes-containers/lxc/lxc_4.0.9.bb
> +++ b/recipes-containers/lxc/lxc_4.0.9.bb
> @@ -49,6 +49,7 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \
>         file://tests-add-no-validate-when-using-download-template.patch \
>         file://dnsmasq.conf \
>         file://lxc-net \
> +        file://enable_seccomp_profile_when_compiled_libseccomp.patch \
>         "
>
>  SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07"
> @@ -69,7 +70,7 @@ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
>
>  EXTRA_OECONF += "--enable-log-src-basename --disable-werror"
>
> -PACKAGECONFIG ??= "templates \
> +PACKAGECONFIG ??= "templates seccomp \

This should be checking for seccomp in DISTRO_FEATURES, just like
systemd and selinux (and we already have other parts of meta-virt
checking for seccomp in distro_features, so this would keep lxc
consistent).

Bruce

>      ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
>      ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \
>  "
> --
> 2.17.1
>
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-03 12:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-03  5:47 [meta-virtualization][master][PATCH] lxc: Enable seccomp support for lxc sana kazi
2021-09-03 12:34 ` Bruce Ashfield

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.