[lxc-devel] [PATCH] seccomp: introduce v2 policy (v2)
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Feb 12 22:08:44 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Wed, Feb 12, 2014 at 03:50:20PM -0600, Serge Hallyn wrote:
> > v2 allows specifying system calls by name, and specifying
> > architecture. A policy looks like:
> >
> > 2
> > whitelist
> > open
> > read
> > write
> > close
> > mount
> > [x86]
> > open
> > read
> >
> > Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31) -
> > which confusingly returns 'EMLINK' on x86_64. Note this change
> > is also done for v1 as I think it is worthwhile.
> >
> > With this patch, I can in fact use a seccomp policy like:
> >
> > 2
> > blacklist
> > mknod errno 0
> >
> > after which 'sudo mknod null c 1 3' silently succeeds without
> > creating the null device.
> >
> > changelog v2:
> > add blacklist support
> > support default action
> > support per-rule action
> >
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
>
> Looks good to me. Can I just ask you to send another patch updating our
> documentation? It currently only lists v1 and says that only whitelist
> is allowed (lxc.container.conf.sgml). Adding seccomp-v1 and seccomp-v2
> example files to doc/ may also be worthwhile.
Yup, will do.
More information about the lxc-devel
mailing list