Merge pull request #3472 from brauner/2020-07-03/fixes

fixes
lxc · Jul 3, 2020 · 22e97b8 · 22e97b8
2 parents 29a01c3 + beafa98
commit 22e97b8
Show file tree

Hide file tree

Showing 13 changed files with 105 additions and 70 deletions.
diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
@@ -17,7 +17,7 @@ lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 
 # Default legacy cgroup configuration
 #
-# CGroup whitelist
+# CGroup allowlist
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
@@ -46,7 +46,7 @@ lxc.cgroup.devices.allow = c 10:229 rwm
 
 # Default unified cgroup configuration
 #
-# CGroup whitelist
+# CGroup allowlist
 lxc.cgroup2.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
 lxc.cgroup2.devices.allow = c *:* m

diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
@@ -1,5 +1,5 @@
 2
-blacklist
+denylist
 reject_force_umount  # comment this to allow umount -f;  not recommended
 [all]
 kexec_load errno 1

diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
@@ -10,7 +10,7 @@ pkgexamples_DATA = \
 	lxc-veth.conf \
 	lxc-complex.conf \
 	seccomp-v1.conf \
-	seccomp-v2-blacklist.conf \
+	seccomp-v2-denylist.conf \
 	seccomp-v2.conf
 endif
 
@@ -23,10 +23,10 @@ noinst_DATA = \
 	lxc-veth.conf.in \
 	lxc-complex.conf.in \
 	seccomp-v1.conf \
-	seccomp-v2-blacklist.conf \
+	seccomp-v2-denylist.conf \
 	seccomp-v2.conf
 
 EXTRA_DIST = \
 	seccomp-v1.conf \
-	seccomp-v2-blacklist.conf \
+	seccomp-v2-denylist.conf \
 	seccomp-v2.conf
diff --git a/doc/examples/seccomp-v1.conf b/doc/examples/seccomp-v1.conf
@@ -1,5 +1,5 @@
 1
-whitelist
+allowlist
 0
 1
 2

diff --git a/doc/examples/seccomp-v2-blacklist.conf → doc/examples/seccomp-v2-denylist.conf b/doc/examples/seccomp-v2-blacklist.conf → doc/examples/seccomp-v2-denylist.conf
@@ -1,7 +1,7 @@
 2
-blacklist
+denylist
 # v2 allows comments after the second line, with '#' in first column,
-# blacklist will allow syscalls by default
+# denylist will allow syscalls by default
 # if 'errno 0' was not appended to 'mknod' below, then the task would
 # simply be killed when it tried to mknod.  'errno 0' means do not allow
 # the container to mknod, but immediately return 0.

diff --git a/doc/examples/seccomp-v2.conf b/doc/examples/seccomp-v2.conf
@@ -1,7 +1,7 @@
 2
-whitelist trap
-# 'whitelist' would normally mean kill a task doing any syscall which is not
-# whitelisted below.  By appending 'trap' to the line, we will cause a SIGSYS
+allowlist trap
+# 'allowlist' would normally mean kill a task doing any syscall which is not
+# allowlisted below.  By appending 'trap' to the line, we will cause a SIGSYS
 # to be sent to the task instead.  'errno 0' would  mean don't allow the system
 # call but immediately return 0.  'errno 22' would mean return EINVAL immediately.
 [x86_64]
@@ -20,5 +20,5 @@ read
 write
 mount
 umount2
-# Do note that this policy does not whitelist enough system calls to allow a
+# Do note that this policy does not allowlist enough system calls to allow a
 # system container to boot.
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
@@ -2304,7 +2304,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
             standard namespace identifiers as seen in the
             <filename>/proc/PID/ns</filename> directory.
             The <option>lxc.namespace.keep</option> is a
-            blacklist option, i.e. it is useful when enforcing that containers
+            denylist option, i.e. it is useful when enforcing that containers
             must keep a specific set of namespaces.
             -->
               コンテナが、作成元のプロセスから継承する (新しい名前空間を作らずに元のプロセスの名前空間のまま実行する) 名前空間を指定します。継承する名前空間はスペース区切りのリストで指定します。指定する名前空間名は、<filename>/proc/PID/ns</filename> ディレクトリ内に存在する標準の名前空間指示子でなければなりません。<option>lxc.namespace.keep</option> はブラックリストを指定するオプションです。つまり、コンテナに特定の名前空間を使い続けることを強制したい場合に便利です。
@@ -2758,26 +2758,26 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <para>
         <!--
         Versions 1 and 2 are currently supported.  In version 1, the
-        policy is a simple whitelist.  The second line therefore must
-        read "whitelist", with the rest of the file containing one (numeric)
-        syscall number per line.  Each syscall number is whitelisted,
-        while every unlisted number is blacklisted for use in the container
+        policy is a simple allowlist.  The second line therefore must
+        read "allowlist", with the rest of the file containing one (numeric)
+        syscall number per line.  Each syscall number is allowlisted,
+        while every unlisted number is denylisted for use in the container
         -->
-        現時点では、バージョン番号は 1 と 2 をサポートしています。バージョン 1 では、ポリシーはシンプルなホワイトリストですので、2 行目は "whitelist" でなければなりません。
+        現時点では、バージョン番号は 1 と 2 をサポートしています。バージョン 1 では、ポリシーはシンプルなホワイトリストですので、2 行目は "allowlist" でなければなりません。
         そして残りの行には 1 行に 1 つずつ、システムコール番号を書きます。各行のシステムコール番号がホワイトリスト化され、リストにない番号は、そのコンテナではブラックリストに入ります。
       </para>
 
       <para>
         <!--
-       In version 2, the policy may be blacklist or whitelist,
+       In version 2, the policy may be denylist or allowlist,
        supports per-rule and per-policy default actions, and supports
        per-architecture system call resolution from textual names.
           -->
         バージョン 2 では、ポリシーはブラックリストもしくはホワイトリストで表され、ルールごとのアクションと、ポリシーごとのデフォルトのアクションを設定できます。そして、アーキテクチャごとの設定と、テキストで書かれたシステムコール名での設定が可能です。
       </para>
       <para>
         <!--
-       An example blacklist policy, in which all system calls are
+       An example denylist policy, in which all system calls are
        allowed except for mknod, which will simply do nothing and
        return 0 (success), looks like:
        -->
@@ -2786,7 +2786,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
       <programlisting>
       2
-      blacklist
+      denylist
       mknod errno 0
       ioctl notify
       </programlisting>

diff --git a/doc/ko/lxc.container.conf.sgml.in b/doc/ko/lxc.container.conf.sgml.in
@@ -1736,33 +1736,33 @@ proc proc proc nodev,noexec,nosuid 0 0
       <para>
         <!--
         Versions 1 and 2 are currently supported.  In version 1, the
-	policy is a simple whitelist.  The second line therefore must
-	read "whitelist", with the rest of the file containing one (numeric)
-	syscall number per line.  Each syscall number is whitelisted,
-	while every unlisted number is blacklisted for use in the container
+	policy is a simple allowlist.  The second line therefore must
+	read "allowlist", with the rest of the file containing one (numeric)
+	syscall number per line.  Each syscall number is allowlisted,
+	while every unlisted number is denylisted for use in the container
         -->
-        현재는 버전1과 2만 지원된다. 버전 1에서는 정책은 단순한 화이트리스트이다. 그러므로 두번째 라인은 반드시 "whitelist"여야 한다. 파일의 나머지 내용은 한 줄에 하나의 시스템콜 번호로 채워진다. 화이트리스트에 없는 번호는 컨테이너에서 블랙리스트로 들어간다.
+        현재는 버전1과 2만 지원된다. 버전 1에서는 정책은 단순한 화이트리스트이다. 그러므로 두번째 라인은 반드시 "allowlist"여야 한다. 파일의 나머지 내용은 한 줄에 하나의 시스템콜 번호로 채워진다. 화이트리스트에 없는 번호는 컨테이너에서 블랙리스트로 들어간다.
       </para>
 
       <para>
         <!--
-       In version 2, the policy may be blacklist or whitelist,
+       In version 2, the policy may be denylist or allowlist,
        supports per-rule and per-policy default actions, and supports
        per-architecture system call resolution from textual names.
           -->
         버전 2에서는 폴리시는 블랙리스트 또는 화이트리스트가 될 수 있다. 그리고  각 규칙와 각 정책의 기본 동작, 아키텍쳐별 시스템콜 설정, 텍스트로된 이름을 지원한다.
       </para>
       <para>
         <!--
-       An example blacklist policy, in which all system calls are
+       An example denylist policy, in which all system calls are
        allowed except for mknod, which will simply do nothing and
        return 0 (success), looks like:
        -->
         아래는 블랙리스트 정책 예제이다. 아래 정책에서는 mknod를 제외한 모든 시스템콜이 허용된다. mknod시에는 아무것도 수행하지 않고 0(성공)을 반환한다.
       </para>
 <screen>
 2
-blacklist
+denylist
 mknod errno 0
 </screen>
       <variablelist>

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
@@ -1729,7 +1729,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
             standard namespace identifiers as seen in the
             <filename>/proc/PID/ns</filename> directory.
             The <option>lxc.namespace.keep</option> is a
-            blacklist option, i.e. it is useful when enforcing that containers
+            denylist option, i.e. it is useful when enforcing that containers
             must keep a specific set of namespaces.
             </para>
 
@@ -2064,26 +2064,26 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       </para>
       <para>
         Versions 1 and 2 are currently supported.  In version 1, the
-        policy is a simple whitelist.  The second line therefore must
-        read "whitelist", with the rest of the file containing one (numeric)
-        syscall number per line.  Each syscall number is whitelisted,
-        while every unlisted number is blacklisted for use in the container
+        policy is a simple allowlist.  The second line therefore must
+        read "allowlist", with the rest of the file containing one (numeric)
+        syscall number per line.  Each syscall number is allowlisted,
+        while every unlisted number is denylisted for use in the container
       </para>
 
       <para>
-       In version 2, the policy may be blacklist or whitelist,
+       In version 2, the policy may be denylist or allowlist,
        supports per-rule and per-policy default actions, and supports
        per-architecture system call resolution from textual names.
       </para>
       <para>
-       An example blacklist policy, in which all system calls are
+       An example denylist policy, in which all system calls are
        allowed except for mknod, which will simply do nothing and
        return 0 (success), looks like:
       </para>
 
       <programlisting>
       2
-      blacklist
+      denylist
       mknod errno 0
       ioctl notify
       </programlisting>

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
@@ -2655,7 +2655,7 @@ __cgfsng_ops static int cgfsng_set(struct cgroup_ops *ops,
 		*p = '\0';
 
 	if (pure_unified_layout(ops) && strcmp(controller, "devices") == 0) {
-		struct device_item device = {0};
+		struct device_item device = {};
 
 		ret = device_cgroup_rule_parse(&device, key, value);
 		if (ret < 0)
@@ -2762,7 +2762,7 @@ static int device_cgroup_rule_parse_devpath(struct device_item *device,
 
 static int convert_devpath(const char *invalue, char *dest)
 {
-	struct device_item device = {0};
+	struct device_item device = {};
 	int ret;
 
 	ret = device_cgroup_rule_parse_devpath(&device, invalue);
@@ -2882,7 +2882,7 @@ static int bpf_device_cgroup_prepare(struct cgroup_ops *ops,
 				     const char *val)
 {
 #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX
-	struct device_item device_item = {0};
+	struct device_item device_item = {};
 	int ret;
 
 	if (strcmp("devices.allow", key) == 0 && *val == '/')

diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c
@@ -118,29 +118,32 @@ void bpf_program_free(struct bpf_program *prog)
 			   .off = 0,                   \
 			   .imm = 0})
 
-static int bpf_access_mask(const char *acc)
+static int bpf_access_mask(const char *acc, int *mask)
 {
-	int mask = 0;
+	*mask = 0;
 
 	if (!acc)
-		return mask;
+		return 0;
 
-	for (; *acc; acc++)
+	for (; *acc; acc++) {
 		switch (*acc) {
 		case 'r':
-			mask |= BPF_DEVCG_ACC_READ;
+			*mask |= BPF_DEVCG_ACC_READ;
 			break;
 		case 'w':
-			mask |= BPF_DEVCG_ACC_WRITE;
+			*mask |= BPF_DEVCG_ACC_WRITE;
 			break;
 		case 'm':
-			mask |= BPF_DEVCG_ACC_MKNOD;
+			*mask |= BPF_DEVCG_ACC_MKNOD;
 			break;
+		case '\0':
+			continue;
 		default:
 			return -EINVAL;
 		}
+	}
 
-	return mask;
+	return 0;
 }
 
 static int bpf_device_type(char type)
@@ -174,7 +177,7 @@ struct bpf_program *bpf_program_new(uint32_t prog_type)
 	prog->prog_type = prog_type;
 	prog->kernel_fd = -EBADF;
 	/*
-	 * By default a whitelist is used unless the user tells us otherwise.
+	 * By default a allowlist is used unless the user tells us otherwise.
 	 */
 	prog->device_list_type = LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
 
@@ -227,7 +230,10 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
 	if (device_type > 0)
 		jump_nr++;
 
-	access_mask = bpf_access_mask(device->access);
+	ret = bpf_access_mask(device->access, &access_mask);
+	if (ret < 0)
+		return log_error_errno(ret, -ret, "Invalid access mask specified %s", device->access);
+
 	if (!bpf_device_all_access(access_mask))
 		jump_nr += 3;
 
@@ -299,8 +305,8 @@ int bpf_program_finalize(struct bpf_program *prog)
 
 	TRACE("Implementing %s bpf device cgroup program",
 	      prog->device_list_type == LXC_BPF_DEVICE_CGROUP_DENYLIST
-		  ? "blacklist"
-		  : "whitelist");
+		  ? "denylist"
+		  : "allowlist");
 
 	ins[0] = BPF_MOV64_IMM(BPF_REG_0, prog->device_list_type);
 	ins[1] = BPF_EXIT_INSN();
@@ -451,11 +457,11 @@ int bpf_list_add_device(struct lxc_conf *conf, struct device_item *device)
 		    device->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE) {
 			TRACE("Switched from %s to %s",
 			      cur->global_rule == LXC_BPF_DEVICE_CGROUP_ALLOWLIST
-				  ? "whitelist"
-				  : "blacklist",
+				  ? "allowlist"
+				  : "denylist",
 			      device->global_rule == LXC_BPF_DEVICE_CGROUP_ALLOWLIST
-				  ? "whitelist"
-				  : "blacklist");
+				  ? "allowlist"
+				  : "denylist");
 			cur->global_rule = device->global_rule;
 			return 1;
 		}