[lxc-devel] [lxc/lxc] 6166fa: seccomp: add rule to reject umount -f

GitHub noreply at github.com
Fri Dec 19 18:45:21 UTC 2014 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 6166fa6d83b23e86a24cc2ab5cfe780fccb0a709
      https://github.com/lxc/lxc/commit/6166fa6d83b23e86a24cc2ab5cfe780fccb0a709
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M config/templates/common.seccomp
    M src/lxc/seccomp.c

  Log Message:
  -----------
  seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 218f99322c78b7788c0eff1997f95d135741e480
      https://github.com/lxc/lxc/commit/218f99322c78b7788c0eff1997f95d135741e480
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M config/templates/userns.conf.in

  Log Message:
  -----------
  Enable seccomp by default for unprivileged users.

In contrast to what the comment above the line disabling it said,
it seems to work just fine.  It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 8f3a3cd80509d32443072b5f678fdebd04cbc882
      https://github.com/lxc/lxc/commit/8f3a3cd80509d32443072b5f678fdebd04cbc882
  Author: Johannes Kastl <mail at ojkastl.de>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M templates/lxc-opensuse.in

  Log Message:
  -----------
  lxc-opensuse: default release changed to 13.1, as 12.3 reaches end-of-life soon

Signed-off-by: Johannes Kastl <git at ojkastl.de>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: d3eccbbf805cb68522955519b0709853f6bc7bff
      https://github.com/lxc/lxc/commit/d3eccbbf805cb68522955519b0709853f6bc7bff
  Author: Johannes Kastl <mail at ojkastl.de>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M templates/lxc-opensuse.in

  Log Message:
  -----------
  lxc-opensuse: Disable building openSUSE containers on 13.2/Tumbleweed only if wrong version of build package is installed

Signed-off-by: Johannes Kastl <git at ojkastl.de>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/ec64264d78d4...d3eccbbf805c

More information about the lxc-devel mailing list