From e18aba7d2a706f477458098e2f014f0c0cb97f26 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 2 Feb 2021 10:43:12 +0100 Subject: [PATCH] attach: move loading seccomp as late as possible We want to minimize the change that the profile blocks syscalls we need during attach setup and has the notifier enabled. Signed-off-by: Christian Brauner --- src/lxc/attach.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 543f8b7792..5f8114b2f5 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1130,18 +1130,6 @@ __noreturn static void do_attach(struct attach_payload *ap) TRACE("Set PR_SET_NO_NEW_PRIVS"); } - if (conf->seccomp.seccomp) { - ret = lxc_seccomp_load(conf); - if (ret < 0) - goto on_error; - - TRACE("Loaded seccomp profile"); - - ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket); - if (ret < 0) - goto on_error; - } - /* The following is done after the communication socket is shut down. * That way, all errors that might (though unlikely) occur up until this * point will have their messages printed to the original stderr (if @@ -1210,6 +1198,18 @@ __noreturn static void do_attach(struct attach_payload *ap) if (ret) INFO("Failed to adjust stdio permissions"); + if (conf->seccomp.seccomp) { + ret = lxc_seccomp_load(conf); + if (ret < 0) + goto on_error; + + TRACE("Loaded seccomp profile"); + + ret = lxc_seccomp_send_notifier_fd(&conf->seccomp, ap->ipc_socket); + if (ret < 0) + goto on_error; + } + if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid)) goto on_error;