~serge-hallyn/ubuntu/quantal/lxc/lxc-fixapi

Viewing changes to debian/patches/0097-seccomp

Committer: Package Import Robot
Author(s): Serge Hallyn, Stéphane Graber, Serge Hallyn
Date: 2012-08-08 10:43:06 UTC
Revision ID: package-import@ubuntu.com-20120808104306-2s7xdim4rvt0e2k6

Tags: 0.8.0~rc1-4ubuntu22

[ Stéphane Graber ]
* Fix call to echo in lxc-start-ephemeral that was literally showing
'$LXC_BASE' instead of the variable's value.

[ Serge Hallyn ]
* Introduce support for seccomp.

files added:
.pc/0097-seccomp

.pc/0097-seccomp/README

.pc/0097-seccomp/configure.ac

.pc/0097-seccomp/src

.pc/0097-seccomp/src/lxc

.pc/0097-seccomp/src/lxc/Makefile.am

.pc/0097-seccomp/src/lxc/conf.h

.pc/0097-seccomp/src/lxc/confile.c

.pc/0097-seccomp/src/lxc/lxc-clone.in

.pc/0097-seccomp/src/lxc/lxcseccomp.h

.pc/0097-seccomp/src/lxc/seccomp.c

.pc/0097-seccomp/src/lxc/start.c

debian/patches/0097-seccomp

src/lxc/lxcseccomp.h

src/lxc/seccomp.c

files modified:
.pc/applied-patches

README

configure.ac

debian/changelog

debian/local/lxc-start-ephemeral

debian/patches/series

src/lxc/Makefile.am

src/lxc/conf.h

src/lxc/confile.c

src/lxc/lxc-clone.in

src/lxc/start.c

Show diffs side-by-side

added added

removed removed

debian/patches/0097-seccomp

Index: lxc-0.8.0~rc1/configure.ac

===================================================================

--- lxc-0.8.0~rc1.orig/configure.ac 2012-07-27 04:47:14.000000000 +0000

+++ lxc-0.8.0~rc1/configure.ac 2012-07-27 04:50:32.321657349 +0000

@@ -18,6 +18,11 @@

AM_CONDITIONAL([ENABLE_RPATH], [test "x$enable_rpath" = "xyes"])

+AC_ARG_ENABLE([seccomp],

+ [AC_HELP_STRING([--enable-seccomp], [enable seccomp])],

+ [], [enable_seccomp=yes])

+AM_CONDITIONAL([ENABLE_SECCOMP], [test "x$enable_seccomp" = "xyes"])

AC_ARG_ENABLE([doc],

[AC_HELP_STRING([--enable-doc], [make mans (require docbook2man installed) [default=auto]])],

[], [enable_doc=auto])

@@ -29,6 +34,11 @@

AC_MSG_ERROR([docbook2man required by man request, but not found])

+AM_COND_IF([ENABLE_SECCOMP],

+ [AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])

+ AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])])

+ AC_SUBST([SECCOMP_LIBS], [-lseccomp])])

AM_CONDITIONAL([ENABLE_DOCBOOK], [test "x$have_docbook" = "xyes"])

AC_ARG_ENABLE([examples],

Index: lxc-0.8.0~rc1/src/lxc/Makefile.am

===================================================================

--- lxc-0.8.0~rc1.orig/src/lxc/Makefile.am 2012-07-27 04:47:14.000000000 +0000

+++ lxc-0.8.0~rc1/src/lxc/Makefile.am 2012-07-27 04:55:40.789650086 +0000

@@ -50,6 +50,7 @@

genl.c genl.h \

caps.c caps.h \

+ seccomp.c seccomp.h \

mainloop.c mainloop.h \

af_unix.c af_unix.h \

@@ -60,13 +61,17 @@

-DLXCPATH=\"$(LXCPATH)\" \

-DLXCINITDIR=\"$(LXCINITDIR)\"

+if ENABLE_SECCOMP

+AM_CFLAGS += -DHAVE_SECCOMP

+endif

liblxc_so_CFLAGS = -fPIC -DPIC $(AM_CFLAGS)

liblxc_so_LDFLAGS = \

-shared \

-Wl,-soname,liblxc.so.$(firstword $(subst ., ,$(VERSION)))

-liblxc_so_LDADD = -lutil $(CAP_LIBS) -lapparmor

+liblxc_so_LDADD = -lutil $(CAP_LIBS) -lapparmor -lseccomp

bin_SCRIPTS = \

lxc-ps \

@@ -105,7 +110,7 @@

if ENABLE_RPATH

AM_LDFLAGS += -Wl,-rpath -Wl,$(libdir)

endif

-LDADD=liblxc.so @CAP_LIBS@ -lapparmor

+LDADD=liblxc.so @CAP_LIBS@ -lapparmor -lseccomp

lxc_attach_SOURCES = lxc_attach.c

lxc_cgroup_SOURCES = lxc_cgroup.c

Index: lxc-0.8.0~rc1/src/lxc/conf.h

===================================================================

--- lxc-0.8.0~rc1.orig/src/lxc/conf.h 2012-07-27 04:47:14.000000000 +0000

+++ lxc-0.8.0~rc1/src/lxc/conf.h 2012-07-27 04:50:54.185650337 +0000

@@ -223,6 +223,7 @@

char *aa_profile;

int umount_proc;

struct lxc_list hooks[NUM_LXC_HOOKS];

+ char *seccomp; // filename with the seccomp rules

};

int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);

Index: lxc-0.8.0~rc1/src/lxc/confile.c

===================================================================

--- lxc-0.8.0~rc1.orig/src/lxc/confile.c 2012-07-27 04:47:14.000000000 +0000

+++ lxc-0.8.0~rc1/src/lxc/confile.c 2012-07-27 04:50:32.325656692 +0000

@@ -73,6 +73,7 @@

static int config_network_ipv6_gateway(const char *, char *, struct lxc_conf *);

static int config_cap_drop(const char *, char *, struct lxc_conf *);

static int config_console(const char *, char *, struct lxc_conf *);

+static int config_seccomp(const char *, char *, struct lxc_conf *);

typedef int (*config_cb)(const char *, char *, struct lxc_conf *);

@@ -114,6 +115,7 @@

{ "lxc.network.ipv6", config_network_ipv6 },

{ "lxc.cap.drop", config_cap_drop },

{ "lxc.console", config_console },

+ { "lxc.seccomp", config_seccomp },

};

100

static const size_t config_size = sizeof(config)/sizeof(struct config);

101

@@ -605,6 +607,26 @@

102

return 0;

103

}

104

105

+static int config_seccomp(const char *key, char *value,

106

+ struct lxc_conf *lxc_conf)

107

108

+ char *path;

109

110

+ if (lxc_conf->seccomp) {

111

+ ERROR("seccomp already defined");

112

+ return -1;

113

+ }

114

+ path = strdup(value);

115

+ if (!path) {

116

+ SYSERROR("failed to strdup '%s': %m", value);

117

+ return -1;

118

+ }

119

120

+ lxc_conf->seccomp = path;

121

122

+ return 0;

123

124

125

static int config_hook(const char *key, char *value,

126

struct lxc_conf *lxc_conf)

127

{

128

Index: lxc-0.8.0~rc1/src/lxc/lxc-clone.in

129

===================================================================

130

--- lxc-0.8.0~rc1.orig/src/lxc/lxc-clone.in 2012-07-27 04:47:14.000000000 +0000

131

+++ lxc-0.8.0~rc1/src/lxc/lxc-clone.in 2012-07-27 04:50:32.329656065 +0000

132

@@ -180,7 +180,7 @@

133

sed -i '/lxc.utsname/d' $lxc_path/$lxc_new/config

134

echo "lxc.utsname = $hostname" >> $lxc_path/$lxc_new/config

135

136

-grep "lxc.mount[ \t]" $lxc_path/$lxc_new/config >/dev/null 2>&1 && { sed -i '/lxc.mount[ \t]/d' $lxc_path/$lxc_new/config; echo "lxc.mount = $lxc_path/$lxc_new/fstab" >> $lxc_path/$lxc_new/config; }

137

+grep "lxc.mount =" $lxc_path/$lxc_new/config >/dev/null 2>&1 && { sed -i '/lxc.mount =/d' $lxc_path/$lxc_new/config; echo "lxc.mount = $lxc_path/$lxc_new/fstab" >> $lxc_path/$lxc_new/config; }

138

139

if [ -e $lxc_path/$lxc_orig/fstab ];then

140

cp $lxc_path/$lxc_orig/fstab $lxc_path/$lxc_new/fstab

141

Index: lxc-0.8.0~rc1/src/lxc/seccomp.c

142

===================================================================

143

--- /dev/null 1970-01-01 00:00:00.000000000 +0000

144

+++ lxc-0.8.0~rc1/src/lxc/seccomp.c 2012-07-27 20:37:50.856592211 +0000

145

@@ -0,0 +1,121 @@

146

+/*

147

+ * lxc: linux Container library

148

+ *

149

+ * (C) Copyright Canonical, Inc. 2012

150

+ *

151

+ * Authors:

152

+ * Serge Hallyn <serge.hallyn@canonical.com>

153

+ *

154

+ * This library is free software; you can redistribute it and/or

155

+ * modify it under the terms of the GNU Lesser General Public

156

+ * License as published by the Free Software Foundation; either

157

+ * version 2.1 of the License, or (at your option) any later version.

158

+ *

159

+ * This library is distributed in the hope that it will be useful,

160

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

161

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

162

+ * Lesser General Public License for more details.

163

+ *

164

+ * You should have received a copy of the GNU Lesser General Public

165

+ * License along with this library; if not, write to the Free Software

166

+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

167

+ */

168

169

+#define _GNU_SOURCE

170

+#include <stdio.h>

171

+#include <stdlib.h>

172

+#include <seccomp.h>

173

+#include <errno.h>

174

+#include <seccomp.h>

175

+#include "lxcseccomp.h"

176

177

+#include "log.h"

178

179

+lxc_log_define(lxc_seccomp, lxc);

180

181

+/*

182

+ * The first line of the config file has a policy language version

183

+ * the second line has some directives

184

+ * then comes policy subject to the directives

185

+ * right now version must be '1'

186

+ * the directives must include 'whitelist' (only type of policy currently

187

+ * supported) and can include 'debug' (though debug is not yet supported).

188

+ */

189

+static int parse_config(FILE *f, struct lxc_conf *conf)

190

191

+ char line[1024];

192

+ int ret, version;

193

194

+ ret = fscanf(f, "%d\n", &version);

195

+ if (ret != 1 || version != 1) {

196

+ ERROR("invalid version");

197

+ return -1;

198

+ }

199

+ if (!fgets(line, 1024, f)) {

200

+ ERROR("invalid config file");

201

+ return -1;

202

+ }

203

+ if (!strstr(line, "whitelist")) {

204

+ ERROR("only whitelist policy is supported");

205

+ return -1;

206

+ }

207

+ if (strstr(line, "debug")) {

208

+ ERROR("debug not yet implemented");

209

+ return -1;

210

+ }

211

+ /* now read in the whitelist entries one per line */

212

+ while (fgets(line, 1024, f)) {

213

+ int nr;

214

+ ret = sscanf(line, "%d", &nr);

215

+ if (ret != 1)

216

+ return -1;

217

+ ret = seccomp_rule_add(SCMP_ACT_ALLOW, nr, 0);

218

+ if (ret < 0) {

219

+ ERROR("failed loading allow rule for %d\n", nr);

220

+ return ret;

221

+ }

222

+ }

223

+ return 0;

224

225

226

+int lxc_read_seccomp_config(struct lxc_conf *conf)

227

228

+ FILE *f;

229

+ int ret;

230

231

+ if (seccomp_init(SCMP_ACT_ERRNO(31)) < 0) { /* for debug, pass in SCMP_ACT_TRAP */

232

+ ERROR("failed initializing seccomp");

233

+ return -1;

234

+ }

235

+ if (!conf->seccomp)

236

+ return 0;

237

238

+ /* turn of no-new-privs. We don't want it in lxc, and it breaks

239

+ * with apparmor */

240

+ if (seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0)) {

241

+ ERROR("failed to turn off n-new-privs\n");

242

+ return -1;

243

+ }

244

245

+ f = fopen(conf->seccomp, "r");

246

+ if (!f) {

247

+ SYSERROR("failed to open seccomp policy file %s\n", conf->seccomp);

248

+ return -1;

249

+ }

250

+ ret = parse_config(f, conf);

251

+ fclose(f);

252

+ return ret;

253

254

255

+int lxc_seccomp_load(struct lxc_conf *conf)

256

257

+ int ret;

258

+ if (!conf->seccomp)

259

+ return 0;

260

+ ret = seccomp_load();

261

+ if (ret < 0) {

262

+ ERROR("Error loading the seccomp policy");

263

+ return -1;

264

+ }

265

+ return 0;

266

267

Index: lxc-0.8.0~rc1/src/lxc/start.c

268

===================================================================

269

--- lxc-0.8.0~rc1.orig/src/lxc/start.c 2012-07-27 04:47:14.000000000 +0000

270

+++ lxc-0.8.0~rc1/src/lxc/start.c 2012-07-27 04:50:32.329656065 +0000

271

@@ -354,6 +354,11 @@

272

goto out_free;

273

}

274

275

+ if (lxc_read_seccomp_config(conf) != 0) {

276

+ ERROR("failed loading seccomp policy");

277

+ goto out_free_name;

278

+ }

279

280

/* Begin the set the state to STARTING*/

281

if (lxc_set_state(name, handler, STARTING)) {

282

ERROR("failed to set state '%s'", lxc_state2str(STARTING));

283

@@ -587,6 +592,9 @@

284

if (apparmor_load(handler) < 0)

285

goto out_warn_father;

286

287

+ if (lxc_seccomp_load(handler->conf) != 0)

288

+ goto out_warn_father;

289

290

close(handler->sigfd);

291

292

HOOK(handler->name, "start", handler->conf);

293

Index: lxc-0.8.0~rc1/src/lxc/lxcseccomp.h

294

===================================================================

295

--- /dev/null 1970-01-01 00:00:00.000000000 +0000

296

+++ lxc-0.8.0~rc1/src/lxc/lxcseccomp.h 2012-07-27 04:57:34.661646994 +0000

297

@@ -0,0 +1,41 @@

298

+/*

299

+ * lxc: linux Container library

300

+ *

301

302

+ *

303

+ * Authors:

304

+ * Serge Hallyn <serge.hallyn@canonical.com>

305

+ *

306

+ * This library is free software; you can redistribute it and/or

307

+ * modify it under the terms of the GNU Lesser General Public

308

+ * License as published by the Free Software Foundation; either

309

+ * version 2.1 of the License, or (at your option) any later version.

310

+ *

311

+ * This library is distributed in the hope that it will be useful,

312

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

313

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

314

+ * Lesser General Public License for more details.

315

+ *

316

+ * You should have received a copy of the GNU Lesser General Public

317

+ * License along with this library; if not, write to the Free Software

318

+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

319

+ */

320

321

+#ifndef _lxc_seccomp_h

322

323

+#include "conf.h"

324

325

+#ifdef HAVE_SECCOMP

326

+int lxc_seccomp_load(struct lxc_conf *conf);

327

+int lxc_read_seccomp_config(struct lxc_conf *conf);

328

+#else

329

+static inline int lxc_seccomp_load(struct lxc_conf *conf) {

330

+ return 0;

331

332

333

+static inline int lxc_read_seccomp_config(struct lxc_conf *conf) {

334

+ return 0;

335

336

+#endif

337

338

+#endif

339

Index: lxc-0.8.0~rc1/README

340

===================================================================

341

--- lxc-0.8.0~rc1.orig/README 2011-10-25 12:02:11.000000000 +0000

342

+++ lxc-0.8.0~rc1/README 2012-07-27 20:49:05.850603933 +0000

343

@@ -52,3 +52,27 @@

344

345

AUTHOR

346

Daniel Lezcano <daniel.lezcano@free.fr>

347

348

+Seccomp with LXC

349

+----------------

350

351

+To restrict a container with seccomp, you must specify a profile which is

352

+basically a whitelist of system calls it may execute. In the container

353

+config file, add a line like

354

355

+lxc.seccomp = /var/lib/lxc/q1/seccomp.full

356

357

+I created a usable (but basically worthless) seccomp.full file using

358

359

+cat > seccomp.full << EOF

360

361

+whitelist

362

+EOF

363

+for i in `seq 0 300`; do

364

+ echo $i >> secomp.full

365

+done

366

+for i in `seq 1024 1079`; do

367

+ echo $i >> seccomp.full

368

+done

369

370

+ -- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600

Older »