170 lines
5.1 KiB
Diff
170 lines
5.1 KiB
Diff
From 666174f112d1f6f765f6755e6f1ed4d3f8ca9055 Mon Sep 17 00:00:00 2001
|
|
From: tanyifeng <tanyifeng1@huawei.com>
|
|
Date: Thu, 17 Jan 2019 03:09:00 +0800
|
|
Subject: [PATCH 042/139] lxc: seccomp adopt to lxc3.0
|
|
|
|
Signed-off-by: LiFeng <lifeng68@huawei.com>
|
|
---
|
|
src/lxc/seccomp.c | 127 ++++++++++++++++++++++++++++--------------------------
|
|
1 file changed, 65 insertions(+), 62 deletions(-)
|
|
|
|
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
|
|
index 1e14be1..27bdc22 100644
|
|
--- a/src/lxc/seccomp.c
|
|
+++ b/src/lxc/seccomp.c
|
|
@@ -936,86 +936,89 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
SCMP_ARCH_NATIVE, line, rule.action,
|
|
get_action_name(rule.action));
|
|
|
|
- if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
|
|
- if (!do_resolve_add_rule(ctx.architectures[0], line,
|
|
- ctx.contexts[0], &rule))
|
|
- goto bad_rule;
|
|
-
|
|
- INFO("Added compat rule for arch %d for %s action %d(%s)",
|
|
- ctx.architectures[0], line, rule.action,
|
|
- get_action_name(rule.action));
|
|
- }
|
|
+ if (cur_rule_arch == lxc_seccomp_arch_all) {
|
|
+ if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
|
|
+ if (!do_resolve_add_rule(ctx.architectures[0], line,
|
|
+ ctx.contexts[0], &rule))
|
|
+ goto bad_rule;
|
|
+
|
|
+ INFO("Added compat rule for arch %d for %s action %d(%s)",
|
|
+ ctx.architectures[0], line, rule.action,
|
|
+ get_action_name(rule.action));
|
|
+ }
|
|
|
|
- if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
|
|
- if (!do_resolve_add_rule(ctx.architectures[1], line,
|
|
- ctx.contexts[1], &rule))
|
|
- goto bad_rule;
|
|
+ if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
|
|
+ if (!do_resolve_add_rule(ctx.architectures[1], line,
|
|
+ ctx.contexts[1], &rule))
|
|
+ goto bad_rule;
|
|
|
|
- INFO("Added compat rule for arch %d for %s action %d(%s)",
|
|
- ctx.architectures[1], line, rule.action,
|
|
- get_action_name(rule.action));
|
|
- }
|
|
+ INFO("Added compat rule for arch %d for %s action %d(%s)",
|
|
+ ctx.architectures[1], line, rule.action,
|
|
+ get_action_name(rule.action));
|
|
+ }
|
|
|
|
- if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
|
|
- if (!do_resolve_add_rule(ctx.architectures[2], line,
|
|
+ if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
|
|
+ if (!do_resolve_add_rule(ctx.architectures[2], line,
|
|
ctx.contexts[2], &rule))
|
|
- goto bad_rule;
|
|
+ goto bad_rule;
|
|
|
|
- INFO("Added native rule for arch %d for %s action %d(%s)",
|
|
- ctx.architectures[2], line, rule.action,
|
|
- get_action_name(rule.action));
|
|
+ INFO("Added native rule for arch %d for %s action %d(%s)",
|
|
+ ctx.architectures[2], line, rule.action,
|
|
+ get_action_name(rule.action));
|
|
+ }
|
|
}
|
|
}
|
|
|
|
- INFO("Merging compat seccomp contexts into main context");
|
|
- if (ctx.contexts[0]) {
|
|
- if (ctx.needs_merge[0]) {
|
|
- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
|
|
- if (ret < 0) {
|
|
- ERROR("Failed to merge first compat seccomp "
|
|
+ if (cur_rule_arch == lxc_seccomp_arch_all) {
|
|
+ INFO("Merging compat seccomp contexts into main context");
|
|
+ if (ctx.contexts[0]) {
|
|
+ if (ctx.needs_merge[0]) {
|
|
+ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
|
|
+ if (ret < 0) {
|
|
+ ERROR("Failed to merge first compat seccomp "
|
|
"context into main context");
|
|
- goto bad;
|
|
- }
|
|
+ goto bad;
|
|
+ }
|
|
|
|
- TRACE("Merged first compat seccomp context into main context");
|
|
- } else {
|
|
- seccomp_release(ctx.contexts[0]);
|
|
- ctx.contexts[0] = NULL;
|
|
+ TRACE("Merged first compat seccomp context into main context");
|
|
+ } else {
|
|
+ seccomp_release(ctx.contexts[0]);
|
|
+ ctx.contexts[0] = NULL;
|
|
+ }
|
|
}
|
|
- }
|
|
|
|
- if (ctx.contexts[1]) {
|
|
- if (ctx.needs_merge[1]) {
|
|
- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
|
|
- if (ret < 0) {
|
|
- ERROR("Failed to merge first compat seccomp "
|
|
- "context into main context");
|
|
- goto bad;
|
|
- }
|
|
+ if (ctx.contexts[1]) {
|
|
+ if (ctx.needs_merge[1]) {
|
|
+ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
|
|
+ if (ret < 0) {
|
|
+ ERROR("Failed to merge first compat seccomp "
|
|
+ "context into main context");
|
|
+ goto bad;
|
|
+ }
|
|
|
|
- TRACE("Merged second compat seccomp context into main context");
|
|
- } else {
|
|
- seccomp_release(ctx.contexts[1]);
|
|
- ctx.contexts[1] = NULL;
|
|
+ TRACE("Merged second compat seccomp context into main context");
|
|
+ } else {
|
|
+ seccomp_release(ctx.contexts[1]);
|
|
+ ctx.contexts[1] = NULL;
|
|
+ }
|
|
}
|
|
- }
|
|
|
|
- if (ctx.contexts[2]) {
|
|
- if (ctx.needs_merge[2]) {
|
|
- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
|
|
- if (ret < 0) {
|
|
- ERROR("Failed to merge third compat seccomp "
|
|
- "context into main context");
|
|
- goto bad;
|
|
- }
|
|
+ if (ctx.contexts[2]) {
|
|
+ if (ctx.needs_merge[2]) {
|
|
+ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
|
|
+ if (ret < 0) {
|
|
+ ERROR("Failed to merge third compat seccomp "
|
|
+ "context into main context");
|
|
+ goto bad;
|
|
+ }
|
|
|
|
- TRACE("Merged third compat seccomp context into main context");
|
|
- } else {
|
|
- seccomp_release(ctx.contexts[2]);
|
|
- ctx.contexts[2] = NULL;
|
|
+ TRACE("Merged third compat seccomp context into main context");
|
|
+ } else {
|
|
+ seccomp_release(ctx.contexts[2]);
|
|
+ ctx.contexts[2] = NULL;
|
|
+ }
|
|
}
|
|
}
|
|
-
|
|
free(line);
|
|
return 0;
|
|
|
|
--
|
|
1.8.3.1
|
|
|