[lxc-devel] [lxd/master] seccomp: block new mount API when mount interception is requested
brauner on Github
lxc-bot at linuxcontainers.org
Mon Nov 25 13:47:56 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 523 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191125/e00be401/attachment.bin>
-------------- next part --------------
From d27a3da74e81f30bf127999f4d984d2c216624e2 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 25 Nov 2019 14:47:19 +0100
Subject: [PATCH] seccomp: block new mount API when mount interception is
requested
The mount interception is requested we need to block the new mount API since it
keeps in-kernel state across multiple and an arbitrary number of syscalls.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/seccomp/seccomp.go | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index ddd5ae4bef..0197032b04 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -282,6 +282,15 @@ mknodat notify [2,24576,SCMP_CMP_MASKED_EQ,61440]
const seccompNotifySetxattr = `setxattr notify [3,1,SCMP_CMP_EQ]
`
+const seccompBlockNewMountApi = `fsopen errno 38
+fsconfig errno 38
+fsinfo errno 38
+fsmount errno 38
+fspick errno 38
+open_tree errno 38
+move_mount errno 38
+`
+
// We don't want to filter any of the following flag combinations since they do
// not cause the creation of a new superblock:
//
@@ -500,6 +509,10 @@ func seccompGetPolicyContent(c Instance) (string, error) {
if shared.IsTrue(config["security.syscalls.intercept.mount"]) {
policy += seccompNotifyMount
+ // We can't handle the new mount API since it keeps
+ // in-kernel state across an arbitrary number of
+ // multiple syscalls.
+ policy += seccompBlockNewMountApi
}
}
More information about the lxc-devel
mailing list