[lxc-devel] [PATCH] Enable default seccomp profile for all distros

Stéphane Graber stgraber at ubuntu.com
Wed Jul 2 01:39:02 UTC 2014 

This updates the common config to include Serge's seccomp profile by
default for privileged containers.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 config/templates/Makefile.am           | 4 ++--
 config/templates/common.conf.in        | 4 ++++
 config/templates/common.seccomp        | 8 ++++++++
 config/templates/ubuntu.common.conf.in | 4 ----
 config/templates/ubuntu.priv.seccomp   | 8 --------
 config/templates/ubuntu.userns.conf.in | 4 ----
 config/templates/userns.conf.in        | 4 ++++
 7 files changed, 18 insertions(+), 18 deletions(-)
 create mode 100644 config/templates/common.seccomp
 delete mode 100644 config/templates/ubuntu.priv.seccomp

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 61b4b45..82ca8be 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -1,6 +1,6 @@
 templatesconfigdir=@LXCTEMPLATECONFIG@
 
-EXTRA_DIST = ubuntu.priv.seccomp
+EXTRA_DIST = common.seccomp
 
 templatesconfig_DATA = \
 	archlinux.common.conf \
@@ -8,6 +8,7 @@ templatesconfig_DATA = \
 	centos.common.conf \
 	centos.userns.conf \
 	common.conf \
+	common.seccomp \
 	debian.common.conf \
 	debian.userns.conf \
 	fedora.common.conf \
@@ -26,6 +27,5 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
-	ubuntu.priv.seccomp \
 	ubuntu.userns.conf \
 	userns.conf
diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index 1616b4f..b15b5fa 100644
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
new file mode 100644
index 0000000..e6650ef
--- /dev/null
+++ b/config/templates/common.seccomp
@@ -0,0 +1,8 @@
+2
+blacklist
+[all]
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index ee008e2..631b4bb 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
-
-# Blacklist some syscalls which are not safe in privileged
-# containers
-lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp
deleted file mode 100644
index e6650ef..0000000
--- a/config/templates/ubuntu.priv.seccomp
+++ /dev/null
@@ -1,8 +0,0 @@
-2
-blacklist
-[all]
-kexec_load errno 1
-open_by_handle_at errno 1
-init_module errno 1
-finit_module errno 1
-delete_module errno 1
diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index e25270c..0d73464 100644
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index 5dc19c7..2d9d7d5 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
-- 
1.9.1

More information about the lxc-devel mailing list