int lxc_read_seccomp_config(struct lxc_conf *conf) { FILE *f; int ret; int check_seccomp_attr_set; if (!conf->seccomp) return 0; if (!use_seccomp()) return 0; #if HAVE_SCMP_FILTER_CTX /* XXX for debug, pass in SCMP_ACT_TRAP */ conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL); ret = !conf->seccomp_ctx; #else ret = seccomp_init(SCMP_ACT_KILL) < 0; #endif if (ret) { ERROR("Failed initializing seccomp."); return -1; } /* turn off no-new-privs. We don't want it in lxc, and it breaks * with apparmor */ #if HAVE_SCMP_FILTER_CTX check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0); #else check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0); #endif if (check_seccomp_attr_set) { ERROR("Failed to turn off n-new-privs."); return -1; } #ifdef SCMP_FLTATR_ATL_TSKIP if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) { WARN("Failed to turn on seccomp nop-skip, continuing"); } #endif f = fopen(conf->seccomp, "r"); if (!f) { SYSERROR("Failed to open seccomp policy file %s.", conf->seccomp); return -1; } ret = parse_config(f, conf); fclose(f); return ret; }
int lxc_seccomp_load(struct lxc_conf *conf) { int ret; if (!conf->seccomp) return 0; if (!use_seccomp()) return 0; ret = seccomp_load( #if HAVE_SCMP_FILTER_CTX conf->seccomp_ctx #endif ); if (ret < 0) { ERROR("Error loading the seccomp policy"); return -1; } return 0; }
int lxc_read_seccomp_config(struct lxc_conf *conf) { FILE *f; int ret; if (!conf->seccomp) return 0; if (!use_seccomp()) return 0; #if HAVE_SCMP_FILTER_CTX /* XXX for debug, pass in SCMP_ACT_TRAP */ conf->seccomp_ctx = seccomp_init(SCMP_ACT_KILL); ret = !conf->seccomp_ctx; #else ret = seccomp_init(SCMP_ACT_KILL) < 0; #endif if (ret) { ERROR("failed initializing seccomp"); return -1; } /* turn of no-new-privs. We don't want it in lxc, and it breaks * with apparmor */ if (seccomp_attr_set( #if HAVE_SCMP_FILTER_CTX conf->seccomp_ctx, #endif SCMP_FLTATR_CTL_NNP, 0)) { ERROR("failed to turn off n-new-privs"); return -1; } f = fopen(conf->seccomp, "r"); if (!f) { SYSERROR("failed to open seccomp policy file %s", conf->seccomp); return -1; } ret = parse_config(f, conf); fclose(f); return ret; }