The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6449
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 55dc98a5f8fde96c91aef0d3237069a331c9a538 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Wed, 13 Nov 2019 18:45:35 +0100
Subject: [PATCH] seccomp: only apply shift when it is needed
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
lxd/seccomp/seccomp.go | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 9a7bb8a911..7c0e0f4b33 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -361,6 +361,7 @@ type Instance interface {
Architecture() int
RootfsPath() string
CurrentIdmap() (*idmap.IdmapSet, error)
+ DiskIdmap() (*idmap.IdmapSet, error)
InsertSeccompUnixDevice(prefix string, m deviceConfig.Device, pid int)
error
}
@@ -1527,7 +1528,14 @@ func (s *Server) MountSyscallValid(c Instance, args
*MountArgs) (bool, string) {
// MountSyscallShift checks whether this mount syscall needs shiftfs.
func (s *Server) MountSyscallShift(c Instance) bool {
if
shared.IsTrue(c.ExpandedConfig()["security.syscalls.intercept.mount.shift"]) {
- return true
+ diskIdmap, err := c.DiskIdmap()
+ if err != nil {
+ return false
+ }
+
+ if diskIdmap == nil && c.DaemonState().OS.Shiftfs {
+ return true
+ }
}
return false
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
