<div dir="ltr"><div>I think I managed to do it by using a seccomp profile. syscalls for a 32bit emulated binary have a different system call numbers and they are rejected. <br><br>"... Also, as things are today, if your host is 64bit and you load a seccomp policy file, all 32bit syscalls will be rejected. ..." - <a href="https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/">https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/</a><br><br>add the following to the container config file (per instruction at <a href="https://github.com/lxc/lxc">https://github.com/lxc/lxc</a>):<br><br>lxc.seccomp = /var/lib/lxc/q1/seccomp.full<br><br></div>and create a seccomp.full file through:<br><div><br>cat > seccomp.full << EOF<br>1<br>whitelist<br>EOF<br>for i in `seq 0 300`; do<br> echo $i >> seccomp.full<br>done<br>for i in `seq 1024 1079`; do<br> echo $i >> seccomp.full<br>done<br><br><br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 11, 2015 at 6:13 AM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sun, 2015-05-10 at 11:08 -0400, Stéphane Graber wrote:<br>
> On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote:<br>
> > On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote:<br>
> > > Hi<br>
> > ><br>
> > ><br>
> > > I want to disable 32bit emulation within my ubuntu container. I think<br>
> > > this can be achieved by setting seccomp filter or cap.drop config (I<br>
> > > may be wrong as I am very new to both of features)<br>
> > > <a href="https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html" target="_blank">https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html</a><br>
> ><br>
> > I don't believe that is even conceptually possible. The 64 bit x86<br>
> > instruction set is an inclusive superset of the 32 bit instruction set.<br>
> > Any 32 bit assembly language instruction will run on a 64 bit CPU.<br>
> > That's the very nature of "backward compatibility" in the CPU<br>
> > architecture. The 32 bit instructions are not being emulated at all.<br>
> > They run native on the iron.<br>
<br>
> You can however use seccomp to block all 32bit syscalls.<br>
<br>
</span>True. Syscalls are a horse of a different color since that's OS based<br>
not CPU based. Still, its not an emulation as the OP seem to be<br>
implying.<br>
<div class="HOEnZb"><div class="h5"><br>
> > > Is it possible to disable specific system calls to disallow a<br>
> > > container run any 32bit executable? if so, how the seccom/cap.drop<br>
> > > config should look like? if not, is there anyway to disable 32bit<br>
> > > emulation within a lxc container?<br>
> > ><br>
> > ><br>
> > > P.S. I tried removing support for i386 packages within a container,<br>
> > > but it still runs 32bit binaries.<br>
> > ><br>
> > ><br>
> > > Cheers,<br>
> > ><br>
> > > Boy<br>
> ><br>
> > Regards,<br>
> > Mike<br>
> > --<br>
> > Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
> > /\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> > NIC whois: MHW9 | An optimist believes we live in the best of all<br>
> > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
> ><br>
<br>
Regards,<br>
Mike<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>
</div></div><br>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br></blockquote></div><br></div>