[lxc-devel] [PATCH 1/2] seccomp: add rule to reject umount -f

[Serge Hallyn]

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/templates/common.seccomp |  1 +
 src/lxc/seccomp.c               | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
index e6650ef..6f8eeba 100644
--- a/config/templates/common.seccomp
+++ b/config/templates/common.seccomp
@@ -1,5 +1,6 @@
 2
 blacklist
+reject_force_umount  # comment this to allow umount -f;  not recommended
 [all]
 kexec_load errno 1
 open_by_handle_at errno 1
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index dfdedf2..825d8a1 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -28,6 +28,7 @@
 #include <errno.h>
 #include <seccomp.h>
 #include <sys/utsname.h>
+#include <sys/mount.h>
 
 #include "config.h"
 #include "lxcseccomp.h"
@@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
 		ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch);
 		return false;
 	}
+
+	if (strncmp(line, "reject_force_umount", 19) == 0) {
+		INFO("Setting seccomp rule to reject force umounts\n");
+		ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
+				1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
+		if (ret < 0) {
+			ERROR("failed (%d) loading rule to reject force umount", ret);
+			return false;
+		}
+		return true;
+	}
+
 	nr = seccomp_syscall_resolve_name(line);
 	if (nr == __NR_SCMP_ERROR) {
 		WARN("Seccomp: failed to resolve syscall: %s", line);
@@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 			goto bad;
 		}
 	}
+
 	return 0;
 
 bad_arch:
-- 
2.1.0