mir/lxc
2
0
Fork 0
mirror of git://github.com/lxc/lxc synced 2025-08-31 15:47:54 +00:00
Code Issues Releases Wiki Activity

Merge pull request #600 from Blub/wbumiller/seccomp

Browse Source 
seccomp: simplify and fix rule parsing
This commit is contained in:
Serge Hallyn
2015-07-28 21:37:14 -05:00
parent f5fd66f70a d6417887b9
commit e88ba17e63
1 changed files with 16 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
src/lxc/seccomp.c
View File

@@ -259,6 +259,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
uint32_t default_policy_action = -1, default_rule_action = -1, action;
enum lxc_hostarch_t native_arch = get_hostarch(),
cur_rule_arch = native_arch;
uint32_t compat_arch = SCMP_ARCH_NATIVE;
if (strncmp(line, "blacklist", 9) == 0)
blacklist = true;
@@ -288,6 +289,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (native_arch == lxc_seccomp_arch_amd64) {
cur_rule_arch = lxc_seccomp_arch_all;
compat_arch = SCMP_ARCH_X86;
compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
default_policy_action);
if (!compat_ctx)
@@ -324,14 +326,6 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
continue;
}
cur_rule_arch = lxc_seccomp_arch_i386;
if (native_arch == lxc_seccomp_arch_amd64) {
if (compat_ctx)
continue;
compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
default_policy_action);
if (!compat_ctx)
goto bad;
}
} else if (strcmp(line, "[X86_64]") == 0 ||
strcmp(line, "[x86_64]") == 0) {
if (native_arch != lxc_seccomp_arch_amd64) {
@@ -342,14 +336,6 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
} else if (strcmp(line, "[all]") == 0 ||
strcmp(line, "[ALL]") == 0) {
cur_rule_arch = lxc_seccomp_arch_all;
if (native_arch == lxc_seccomp_arch_amd64 && !compat_ctx) {
if (compat_ctx)
continue;
compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
default_policy_action);
if (!compat_ctx)
goto bad;
}
}
#ifdef SCMP_ARCH_ARM
else if (strcmp(line, "[arm]") == 0 ||
@@ -408,41 +394,24 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
goto bad_rule;
}
/*
* TODO generalize - if !is_compat_only(native_arch, cur_rule_arch)
*
* in other words, the rule is 32-bit only, on 64-bit host; don't run
* the rule against the native arch.
*/
if (!(cur_rule_arch == lxc_seccomp_arch_i386 &&
native_arch == lxc_seccomp_arch_amd64)) {
INFO("Adding non-compat rule for %s action %d", line, action);
if (cur_rule_arch == native_arch ||
cur_rule_arch == lxc_seccomp_arch_native ||
compat_arch == SCMP_ARCH_NATIVE) {
INFO("Adding native rule for %s action %d", line, action);
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule;
}
/*
* TODO generalize - if need_compat(native_arch, cur_rule_arch)
*/
if (native_arch == lxc_seccomp_arch_amd64 &&
cur_rule_arch != lxc_seccomp_arch_amd64) {
int nr1, nr2;
else if (cur_rule_arch != lxc_seccomp_arch_all) {
INFO("Adding compat-only rule for %s action %d", line, action);
if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
goto bad_rule;
}
else {
INFO("Adding native rule for %s action %d", line, action);
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule;
INFO("Adding compat rule for %s action %d", line, action);
nr1 = seccomp_syscall_resolve_name_arch(SCMP_ARCH_X86, line);
nr2 = seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, line);
if (nr1 == nr2) {
/* If the syscall # is the same for 32- and 64-bit, then we cannot
* apply it to the compat_ctx. So apply it to the noncompat ctx.
* We may already have done so, but that's ok
*/
INFO("Adding non-compat rule bc nr1 == nr2 (%d, %d)", nr1, nr2);
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
goto bad_rule;
continue;
}
INFO("Really adding compat rule bc nr1 == nr2 (%d, %d)", nr1, nr2);
if (!do_resolve_add_rule(SCMP_ARCH_X86, line,
compat_ctx, action))
if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
goto bad_rule;
}
}