[lxc-devel] [PATCH] seccomp: introduce v2 policy (v2)

Serge Hallyn serge.hallyn at ubuntu.com
Wed Feb 12 22:08:44 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Wed, Feb 12, 2014 at 03:50:20PM -0600, Serge Hallyn wrote:
> > v2 allows specifying system calls by name, and specifying
> > architecture.  A policy looks like:
> > 
> > 2
> > whitelist
> > open
> > read
> > write
> > close
> > mount
> > [x86]
> > open
> > read
> > 
> > Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31)  -
> > which confusingly returns 'EMLINK' on x86_64.  Note this change
> > is also done for v1 as I think it is worthwhile.
> > 
> > With this patch, I can in fact use a seccomp policy like:
> > 
> > 2
> > blacklist
> > mknod errno 0
> > 
> > after which 'sudo mknod null c 1 3' silently succeeds without
> > creating the null device.
> > 
> > changelog v2:
> >   add blacklist support
> >   support default action
> >   support per-rule action
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> 
> Looks good to me. Can I just ask you to send another patch updating our
> documentation? It currently only lists v1 and says that only whitelist
> is allowed (lxc.container.conf.sgml). Adding seccomp-v1 and seccomp-v2
> example files to doc/ may also be worthwhile.

Yup, will do.


More information about the lxc-devel mailing list