[pve-devel] [PATCH container 4/4] set lxc.seccomp.notify.cookie to the vmid
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Jan 30 09:27:33 CET 2020
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
src/PVE/LXC.pm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index b4d3b7d..cb2531f 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -496,7 +496,7 @@ sub check_kernel_release {
#
# This returns a configuration snippet added to the raw lxc config.
sub make_seccomp_config {
- my ($conf, $conf_dir, $unprivileged, $features) = @_;
+ my ($conf, $vmid, $conf_dir, $unprivileged, $features) = @_;
# User-configured profile has precedence, note that the user's entry would
# be written 'after' this line anyway...
if (PVE::LXC::Config->has_lxc_entry($conf, 'lxc.seccomp.profile')) {
@@ -540,6 +540,7 @@ sub make_seccomp_config {
}
$raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
+ $raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
$rules->{mknod} = [
# condition: (mode & S_IFMT) == S_IFCHR
@@ -673,7 +674,7 @@ sub update_lxc_config {
my $features = PVE::LXC::Config->parse_features($conf->{features});
- $raw .= make_seccomp_config($conf, $dir, $unprivileged, $features);
+ $raw .= make_seccomp_config($conf, $vmid, $dir, $unprivileged, $features);
$raw .= make_apparmor_config($conf, $unprivileged, $features);
if ($features->{fuse}) {
$raw .= "lxc.apparmor.raw = mount fstype=fuse,\n";
--
2.20.1
More information about the pve-devel
mailing list