[lxc-devel] [PATCH 2/2] Enable seccomp by default for unprivileged users.

Stéphane Graber stgraber at ubuntu.com
Fri Dec 19 18:28:18 UTC 2014


On Fri, Dec 19, 2014 at 06:23:52PM +0000, Serge Hallyn wrote:
> In contrast to what the comment above the line disabling it said,
> it seems to work just fine.  It also is needed on current kernels
> (until Eric's patch hits upstream) to prevent unprivileged containers
> from hosing fuse filesystems they inherit.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  config/templates/userns.conf.in | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
> index 2d9d7d5..5dc19c7 100644
> --- a/config/templates/userns.conf.in
> +++ b/config/templates/userns.conf.in
> @@ -13,7 +13,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
>  lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
>  lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
>  lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> -
> -# Default seccomp policy is not needed for unprivileged containers, and
> -# non-root users cannot use seccmp without NNP anyway.
> -lxc.seccomp =
> -- 
> 2.1.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141219/79da7d5f/attachment.sig>


More information about the lxc-devel mailing list