[lxc-devel] [PATCH 1/2] seccomp: add rule to reject umount -f

Stéphane Graber stgraber at ubuntu.com
Fri Dec 19 18:30:51 UTC 2014 

On Fri, Dec 19, 2014 at 06:22:55PM +0000, Serge Hallyn wrote:
> If a container has a bind mount from a host nfs or fuse
> filesystem, and does 'umount -f', it will disconnect the
> host's filesystem.  This patch adds a seccomp rule to
> block umount -f from a container.  It also adds that rule
> to the default seccomp profile.
> 
> Thanks stgraber for the idea :)
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  config/templates/common.seccomp |  1 +
>  src/lxc/seccomp.c               | 14 ++++++++++++++
>  2 files changed, 15 insertions(+)
> 
> diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
> index e6650ef..6f8eeba 100644
> --- a/config/templates/common.seccomp
> +++ b/config/templates/common.seccomp
> @@ -1,5 +1,6 @@
>  2
>  blacklist
> +reject_force_umount  # comment this to allow umount -f;  not recommended
>  [all]
>  kexec_load errno 1
>  open_by_handle_at errno 1
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index dfdedf2..825d8a1 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -28,6 +28,7 @@
>  #include <errno.h>
>  #include <seccomp.h>
>  #include <sys/utsname.h>
> +#include <sys/mount.h>
>  
>  #include "config.h"
>  #include "lxcseccomp.h"
> @@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
>  		ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch);
>  		return false;
>  	}
> +
> +	if (strncmp(line, "reject_force_umount", 19) == 0) {
> +		INFO("Setting seccomp rule to reject force umounts\n");
> +		ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
> +				1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
> +		if (ret < 0) {
> +			ERROR("failed (%d) loading rule to reject force umount", ret);
> +			return false;
> +		}
> +		return true;
> +	}
> +
>  	nr = seccomp_syscall_resolve_name(line);
>  	if (nr == __NR_SCMP_ERROR) {
>  		WARN("Seccomp: failed to resolve syscall: %s", line);
> @@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
>  			goto bad;
>  		}
>  	}
> +
>  	return 0;
>  
>  bad_arch:
> -- 
> 2.1.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141219/75c8f5e6/attachment.sig>

More information about the lxc-devel mailing list