confile: lxc.seccomp --> lxc.seccomp.profile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc · Jul 2, 2017 · 0b427da · 0b427da
1 parent 232763d
commit 0b427da
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 17 deletions.
diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
@@ -48,7 +48,7 @@ lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,opt
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
+lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp
 
 # Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
diff --git a/config/templates/openwrt.common.conf.in b/config/templates/openwrt.common.conf.in
@@ -47,4 +47,4 @@ lxc.cgroup.devices.allow = c 4:1 rwm
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
diff --git a/config/templates/sabayon.common.conf.in b/config/templates/sabayon.common.conf.in
@@ -73,7 +73,7 @@ lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
+lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp
 
 # Customize lxc options through common directory
 lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
@@ -1328,7 +1328,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.seccomp</option>
+            <option>lxc.seccomp.profile</option>
           </term>
           <listitem>
             <para>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
@@ -691,19 +691,24 @@ static bool fetch_seccomp(struct lxc_container *c,
 	}
 
 	/* Remove current setting. */
-	if (!c->set_config_item(c, "lxc.seccomp", "")) {
+	if (!c->set_config_item(c, "lxc.seccomp", "") &&
+	    !c->set_config_item(c, "lxc.seccomp.profile", "")) {
 		return false;
 	}
 
 	/* Fetch the current profile path over the cmd interface. */
-	path = c->get_running_config_item(c, "lxc.seccomp");
+	path = c->get_running_config_item(c, "lxc.seccomp.profile");
 	if (!path) {
-		INFO("Failed to get running config item for lxc.seccomp.");
+		INFO("Failed to get running config item for lxc.seccomp.profile");
+		path = c->get_running_config_item(c, "lxc.seccomp");
+	}
+	if (!path) {
+		INFO("Failed to get running config item for lxc.seccomp");
 		return true;
 	}
 
 	/* Copy the value into the new lxc_conf. */
-	if (!c->set_config_item(c, "lxc.seccomp", path)) {
+	if (!c->set_config_item(c, "lxc.seccomp.profile", path)) {
 		free(path);
 		return false;
 	}

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
@@ -115,7 +115,7 @@ lxc_config_define(cap_drop);
 lxc_config_define(cap_keep);
 lxc_config_define(console_logfile);
 lxc_config_define(console_path);
-lxc_config_define(seccomp);
+lxc_config_define(seccomp_profile);
 lxc_config_define(includefiles);
 lxc_config_define(autodev);
 lxc_config_define(signal_halt);
@@ -248,10 +248,15 @@ static struct lxc_config_t config[] = {
 	{ "lxc.cap.keep",                  set_config_cap_keep,                    get_config_cap_keep,                    clr_config_cap_keep,                  },
 	{ "lxc.console.logfile",           set_config_console_logfile,             get_config_console_logfile,             clr_config_console_logfile,           },
 	{ "lxc.console.path",              set_config_console_path,                get_config_console_path,                clr_config_console_path,              },
-	{ "lxc.seccomp",                   set_config_seccomp,                     get_config_seccomp,                     clr_config_seccomp,                   },
+	{ "lxc.seccomp.profile",           set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
 	{ "lxc.include",                   set_config_includefiles,                get_config_includefiles,                clr_config_includefiles,              },
 	{ "lxc.autodev",                   set_config_autodev,                     get_config_autodev,                     clr_config_autodev,                   },
 
+	/* REMOVE IN LXC 3.0
+	   legacy seccomp key
+	 */
+	{ "lxc.seccomp",                   set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
+
 	/* REMOVE IN LXC 3.0
 	   legacy console key
 	 */
@@ -1062,8 +1067,8 @@ static int add_hook(struct lxc_conf *lxc_conf, int which, char *hook)
 	return 0;
 }
 
-static int set_config_seccomp(const char *key, const char *value,
-			      struct lxc_conf *lxc_conf, void *data)
+static int set_config_seccomp_profile(const char *key, const char *value,
+				      struct lxc_conf *lxc_conf, void *data)
 {
 	return set_config_path_item(&lxc_conf->seccomp, value);
 }
@@ -3185,8 +3190,8 @@ static int get_config_console_logfile(const char *key, char *retv, int inlen,
 	return lxc_get_conf_str(retv, inlen, c->console.log_path);
 }
 
-static int get_config_seccomp(const char *key, char *retv, int inlen,
-			      struct lxc_conf *c, void *data)
+static int get_config_seccomp_profile(const char *key, char *retv, int inlen,
+				      struct lxc_conf *c, void *data)
 {
 	return lxc_get_conf_str(retv, inlen, c->seccomp);
 }
@@ -3544,8 +3549,8 @@ static inline int clr_config_console_logfile(const char *key,
 	return 0;
 }
 
-static inline int clr_config_seccomp(const char *key, struct lxc_conf *c,
-				     void *data)
+static inline int clr_config_seccomp_profile(const char *key,
+					     struct lxc_conf *c, void *data)
 {
 	free(c->seccomp);
 	c->seccomp = NULL;

diff --git a/src/tests/parse_config_file.c b/src/tests/parse_config_file.c
@@ -678,13 +678,22 @@ int main(int argc, char *argv[])
 		goto non_test_error;
 	}
 
-	/* lxc.seccomp */
+	/* REMOVE IN LXC 3.0
+	   legacy seccomp key
+	 */
 	if (set_get_compare_clear_save_load(
 		c, "lxc.seccomp", "/some/seccomp/file", tmpf, true) < 0) {
 		lxc_error("%s\n", "lxc.seccomp");
 		goto non_test_error;
 	}
 
+	/* lxc.seccomp.profile */
+	if (set_get_compare_clear_save_load(
+		c, "lxc.seccomp.profile", "/some/seccomp/file", tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.seccomp.profile");
+		goto non_test_error;
+	}
+
 	/* lxc.autodev */
 	if (set_get_compare_clear_save_load(c, "lxc.autodev", "1", tmpf, true) <
 	    0) {