attach: move loading seccomp as late as possible

We want to minimize the change that the profile blocks syscalls we need during attach setup and has the notifier enabled. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc · Feb 2, 2021 · e18aba7 · e18aba7
1 parent 92466fe
commit e18aba7
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
@@ -1130,18 +1130,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		TRACE("Set PR_SET_NO_NEW_PRIVS");
 	}
 
-	if (conf->seccomp.seccomp) {
-		ret = lxc_seccomp_load(conf);
-		if (ret < 0)
-			goto on_error;
-
-		TRACE("Loaded seccomp profile");
-
-		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
-		if (ret < 0)
-			goto on_error;
-	}
-
 	/* The following is done after the communication socket is shut down.
 	 * That way, all errors that might (though unlikely) occur up until this
 	 * point will have their messages printed to the original stderr (if
@@ -1210,6 +1198,18 @@ __noreturn static void do_attach(struct attach_payload *ap)
 	if (ret)
 		INFO("Failed to adjust stdio permissions");
 
+	if (conf->seccomp.seccomp) {
+		ret = lxc_seccomp_load(conf);
+		if (ret < 0)
+			goto on_error;
+
+		TRACE("Loaded seccomp profile");
+
+		ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket);
+		if (ret < 0)
+			goto on_error;
+	}
+
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
 		goto on_error;