2 files changed, 48 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
new file mode 100644
index 00000000..f0a58139
--- /dev/null
+++ b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
@@ -0,0 +1,46 @@
+From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Mon, 23 Aug 2021 22:04:40 +0200
+Subject: [PATCH] config: enable seccomp profile only when compiled with
+ libseccomp
+Make lxc fail if seccomp.profile is specified but lxc is compiled
+without seccomp support. Currently, seccomp.profile is silently ignored
+if is specified in such a scenario. This could lead to the false
+impression that the seccomp filter is applied while it actually isn't.
+Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+---
+ src/lxc/confile.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+Upstream-Status: Submitted [https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e]
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index d8b96c6921..1cc8da15f1 100644
+--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
+@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char *key, const char *value,
+ static int set_config_seccomp_profile(const char *key, const char *value,
+                                      struct lxc_conf *lxc_conf, void *data)
+ {
+#ifdef HAVE_SECCOMP
+        return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
+#else
+       return ret_set_errno(-1, ENOSYS);
+#endif
+ }
+ 
+ static int set_config_execute_cmd(const char *key, const char *value,
+@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char *key, char *retv, int inle
+ static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
+                                      struct lxc_conf *c, void *data)
+ {
+#ifdef HAVE_SECCOMP
+        return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
+#else
+       return ret_errno(ENOSYS);
+#endif
+ }
+ 
+ static int get_config_autodev(const char *key, char *retv, int inlen,
diff --git a/recipes-containers/lxc/lxc_4.0.9.bb b/recipes-containers/lxc/lxc_4.0.9.bb
index 79072915..8b165e22 100644
--- a/recipes-containers/lxc/lxc_4.0.9.bb
+++ b/recipes-containers/lxc/lxc_4.0.9.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \
        file://tests-add-no-validate-when-using-download-template.patch \
        file://dnsmasq.conf \
        file://lxc-net \
+        file://enable_seccomp_profile_when_compiled_libseccomp.patch \
        "
 SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07"
@@ -72,6 +73,7 @@ EXTRA_OECONF += "--enable-log-src-basename --disable-werror"
 PACKAGECONFIG ??= "templates \
    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
    ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \
 "
 PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc --disable-api-docs,,"
 PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,,"

diff --git a/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch new file mode 100644 index 00000000..f0a58139 --- /dev/null +++ b/recipes-containers/lxc/files/enable_seccomp_profile_when_compiled_libseccomp.patch
@@ -0,0 +1,46 @@
		1	From 3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e Mon Sep 17 00:00:00 2001
		2	From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
		3	Date: Mon, 23 Aug 2021 22:04:40 +0200
		4	Subject: [PATCH] config: enable seccomp profile only when compiled with
		5	libseccomp
		6
		7	Make lxc fail if seccomp.profile is specified but lxc is compiled
		8	without seccomp support. Currently, seccomp.profile is silently ignored
		9	if is specified in such a scenario. This could lead to the false
		10	impression that the seccomp filter is applied while it actually isn't.
		11
		12	Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
		13	---
		14	src/lxc/confile.c \| 8 ++++++++
		15	1 file changed, 8 insertions(+)
		16
		17	Upstream-Status: Submitted [https://github.com/lxc/lxc/pull/3947/commits/3d46e1d1f8e904fddd4fab3e8d0c6cf57d2ddd4e]
		18
		19	diff --git a/src/lxc/confile.c b/src/lxc/confile.c
		20	index d8b96c6921..1cc8da15f1 100644
		21	--- a/src/lxc/confile.c
		22	+++ b/src/lxc/confile.c
		23	@@ -1211,7 +1211,11 @@ static int set_config_seccomp_notify_proxy(const char key, const char value,
		24	static int set_config_seccomp_profile(const char key, const char value,
		25	struct lxc_conf lxc_conf, void data)
		26	{
		27	+#ifdef HAVE_SECCOMP
		28	return set_config_path_item(&lxc_conf->seccomp.seccomp, value);
		29	+#else
		30	+ return ret_set_errno(-1, ENOSYS);
		31	+#endif
		32	}
		33
		34	static int set_config_execute_cmd(const char key, const char value,
		35	@@ -4383,7 +4387,11 @@ static int get_config_seccomp_notify_proxy(const char key, char retv, int inle
		36	static int get_config_seccomp_profile(const char key, char retv, int inlen,
		37	struct lxc_conf c, void data)
		38	{
		39	+#ifdef HAVE_SECCOMP
		40	return lxc_get_conf_str(retv, inlen, c->seccomp.seccomp);
		41	+#else
		42	+ return ret_errno(ENOSYS);
		43	+#endif
		44	}
		45
		46	static int get_config_autodev(const char key, char retv, int inlen,


diff --git a/recipes-containers/lxc/lxc_4.0.9.bb b/recipes-containers/lxc/lxc_4.0.9.bb index 79072915..8b165e22 100644 --- a/recipes-containers/lxc/lxc_4.0.9.bb +++ b/recipes-containers/lxc/lxc_4.0.9.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}/${BPN}-${PV}.tar.gz \
49	file://tests-add-no-validate-when-using-download-template.patch \	49	file://tests-add-no-validate-when-using-download-template.patch \
50	file://dnsmasq.conf \	50	file://dnsmasq.conf \
51	file://lxc-net \	51	file://lxc-net \
		52	file://enable_seccomp_profile_when_compiled_libseccomp.patch \
52	"	53	"
53		54
54	SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07"	55	SRC_URI[md5sum] = "365fcca985038910e19a1e0fff15ed07"
@@ -72,6 +73,7 @@ EXTRA_OECONF += "--enable-log-src-basename --disable-werror"
72	PACKAGECONFIG ??= "templates \	73	PACKAGECONFIG ??= "templates \
73	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \	74	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
74	${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \	75	${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \
		76	${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \
75	"	77	"
76	PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc --disable-api-docs,,"	78	PACKAGECONFIG[doc] = "--enable-doc --enable-api-docs,--disable-doc --disable-api-docs,,"
77	PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,,"	79	PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,,"