*/
static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
{
- char *p;
int ret;
+ char *p;
+ enum lxc_hostarch_t cur_rule_arch, native_arch;
+ size_t line_bufsz = 0;
bool blacklist = false;
+ char *rule_line = NULL;
uint32_t default_policy_action = -1, default_rule_action = -1;
- enum lxc_hostarch_t native_arch = get_hostarch(),
- cur_rule_arch = native_arch;
struct seccomp_v2_rule rule;
struct scmp_ctx_info {
uint32_t architectures[3];
if (strncmp(line, "blacklist", 9) == 0)
blacklist = true;
else if (strncmp(line, "whitelist", 9) != 0) {
- ERROR("Bad seccomp policy style: %s", line);
+ ERROR("Bad seccomp policy style \"%s\"", line);
return -1;
}
- if ((p = strchr(line, ' '))) {
+ p = strchr(line, ' ');
+ if (p) {
default_policy_action = get_v2_default_action(p + 1);
if (default_policy_action == -2)
return -1;
if (blacklist) {
if (default_policy_action == -1)
default_policy_action = SCMP_ACT_ALLOW;
+
if (default_rule_action == -1)
default_rule_action = SCMP_ACT_KILL;
} else {
if (default_policy_action == -1)
default_policy_action = SCMP_ACT_KILL;
+
if (default_rule_action == -1)
default_rule_action = SCMP_ACT_ALLOW;
}
ctx.architectures[0] = SCMP_ARCH_NATIVE;
ctx.architectures[1] = SCMP_ARCH_NATIVE;
ctx.architectures[2] = SCMP_ARCH_NATIVE;
+ native_arch = get_hostarch();
+ cur_rule_arch = native_arch;
if (native_arch == lxc_seccomp_arch_amd64) {
cur_rule_arch = lxc_seccomp_arch_all;
cur_rule_arch = lxc_seccomp_arch_all;
ctx.architectures[0] = SCMP_ARCH_ARM;
- ctx.contexts[0] =
- get_new_ctx(lxc_seccomp_arch_arm, default_policy_action,
- &ctx.needs_merge[0]);
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
+ default_policy_action,
+ &ctx.needs_merge[0]);
if (!ctx.contexts[0])
goto bad;
#ifdef SCMP_ARCH_AARCH64
ctx.architectures[2] = SCMP_ARCH_AARCH64;
- ctx.contexts[2] =
- get_new_ctx(lxc_seccomp_arch_arm64, default_policy_action,
- &ctx.needs_merge[2]);
+ ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_arm64,
+ default_policy_action,
+ &ctx.needs_merge[2]);
if (!ctx.contexts[2])
goto bad;
#endif
ERROR("Error re-initializing Seccomp");
return -1;
}
- if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0)) {
- ERROR("Failed to turn off no-new-privs");
+
+ ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
+ if (ret < 0) {
+ ERROR("%s - Failed to turn off no-new-privs", strerror(-ret));
return -1;
}
+
#ifdef SCMP_FLTATR_ATL_TSKIP
- if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1)) {
- WARN("Failed to turn on seccomp nop-skip, continuing");
- }
+ ret = seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
+ if (ret < 0)
+ WARN("%s - Failed to turn on seccomp nop-skip, continuing", strerror(-ret));
#endif
}
- while (fgets(line, 1024, f)) {
-
+ while (getline(&rule_line, &line_bufsz, f) != -1) {
if (line[0] == '#')
continue;
- if (strlen(line) == 0)
+
+ if (line[0] == '\0')
continue;
+
remove_trailing_newlines(line);
- INFO("processing: .%s", line);
+
+ INFO("Processing \"%s\"", line);
if (line[0] == '[') {
/* Read the architecture for next set of rules. */
if (strcmp(line, "[x86]") == 0 ||
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_i386;
} else if (strcmp(line, "[x32]") == 0 ||
strcmp(line, "[X32]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_x32;
} else if (strcmp(line, "[X86_64]") == 0 ||
strcmp(line, "[x86_64]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_amd64;
} else if (strcmp(line, "[all]") == 0 ||
strcmp(line, "[ALL]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_arm;
}
#endif
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_arm64;
}
#endif
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_ppc64le;
}
#endif
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_ppc64;
}
#endif
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_ppc;
}
#endif
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mips64;
} else if (strcmp(line, "[mips64n32]") == 0 ||
strcmp(line, "[MIPS64N32]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mips64n32;
} else if (strcmp(line, "[mips]") == 0 ||
strcmp(line, "[MIPS]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mips;
} else if (strcmp(line, "[mipsel64]") == 0 ||
strcmp(line, "[MIPSEL64]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mipsel64;
} else if (strcmp(line, "[mipsel64n32]") == 0 ||
strcmp(line, "[MIPSEL64N32]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
} else if (strcmp(line, "[mipsel]") == 0 ||
strcmp(line, "[MIPSEL]") == 0) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_mipsel;
}
#endif
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
+
cur_rule_arch = lxc_seccomp_arch_s390x;
- }
#endif
- else
+ } else {
goto bad_arch;
+ }
continue;
}
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
conf->seccomp_ctx, &rule))
goto bad_rule;
+
INFO("Added native rule for arch %d for %s action %d(%s)",
SCMP_ARCH_NATIVE, line, rule.action,
get_action_name(rule.action));
if (!do_resolve_add_rule(ctx.architectures[0], line,
ctx.contexts[0], &rule))
goto bad_rule;
+
INFO("Added compat rule for arch %d for %s action %d(%s)",
ctx.architectures[0], line, rule.action,
get_action_name(rule.action));
if (!do_resolve_add_rule(ctx.architectures[1], line,
ctx.contexts[1], &rule))
goto bad_rule;
+
INFO("Added compat rule for arch %d for %s action %d(%s)",
ctx.architectures[1], line, rule.action,
get_action_name(rule.action));
if (!do_resolve_add_rule(ctx.architectures[2], line,
ctx.contexts[2], &rule))
goto bad_rule;
+
INFO("Added native rule for arch %d for %s action %d(%s)",
ctx.architectures[2], line, rule.action,
get_action_name(rule.action));
"context into main context");
goto bad;
}
+
TRACE("Merged first compat seccomp context into main context");
} else {
seccomp_release(ctx.contexts[0]);
"context into main context");
goto bad;
}
+
TRACE("Merged second compat seccomp context into main context");
} else {
seccomp_release(ctx.contexts[1]);
"context into main context");
goto bad;
}
+
TRACE("Merged third compat seccomp context into main context");
} else {
seccomp_release(ctx.contexts[2]);
}
}
+ free(rule_line);
return 0;
bad_arch:
- ERROR("Unsupported arch: %s.", line);
+ ERROR("Unsupported architecture \"%s\"", line);
+
bad_rule:
bad:
if (ctx.contexts[0])
seccomp_release(ctx.contexts[0]);
+
if (ctx.contexts[1])
seccomp_release(ctx.contexts[1]);
+
if (ctx.contexts[2])
seccomp_release(ctx.contexts[2]);
+ free(rule_line);
+
return -1;
}
#else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */