[lxc-devel] [PATCH] Enable default seccomp profile for all distros

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jul 2 03:37:02 UTC 2014 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> This updates the common config to include Serge's seccomp profile by
> default for privileged containers.
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  config/templates/Makefile.am           | 4 ++--
>  config/templates/common.conf.in        | 4 ++++
>  config/templates/common.seccomp        | 8 ++++++++
>  config/templates/ubuntu.common.conf.in | 4 ----
>  config/templates/ubuntu.priv.seccomp   | 8 --------
>  config/templates/ubuntu.userns.conf.in | 4 ----
>  config/templates/userns.conf.in        | 4 ++++
>  7 files changed, 18 insertions(+), 18 deletions(-)
>  create mode 100644 config/templates/common.seccomp
>  delete mode 100644 config/templates/ubuntu.priv.seccomp
> 
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 61b4b45..82ca8be 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -1,6 +1,6 @@
>  templatesconfigdir=@LXCTEMPLATECONFIG@
>  
> -EXTRA_DIST = ubuntu.priv.seccomp
> +EXTRA_DIST = common.seccomp
>  
>  templatesconfig_DATA = \
>  	archlinux.common.conf \
> @@ -8,6 +8,7 @@ templatesconfig_DATA = \
>  	centos.common.conf \
>  	centos.userns.conf \
>  	common.conf \
> +	common.seccomp \
>  	debian.common.conf \
>  	debian.userns.conf \
>  	fedora.common.conf \
> @@ -26,6 +27,5 @@ templatesconfig_DATA = \
>  	ubuntu-cloud.userns.conf \
>  	ubuntu.common.conf \
>  	ubuntu.lucid.conf \
> -	ubuntu.priv.seccomp \
>  	ubuntu.userns.conf \
>  	userns.conf
> diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
> index 1616b4f..b15b5fa 100644
> --- a/config/templates/common.conf.in
> +++ b/config/templates/common.conf.in
> @@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
>  lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
>  lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
>  lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
> diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
> new file mode 100644
> index 0000000..e6650ef
> --- /dev/null
> +++ b/config/templates/common.seccomp
> @@ -0,0 +1,8 @@
> +2
> +blacklist
> +[all]
> +kexec_load errno 1
> +open_by_handle_at errno 1
> +init_module errno 1
> +finit_module errno 1
> +delete_module errno 1
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index ee008e2..631b4bb 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm
>  ## To use loop devices, copy the following line to the container's
>  ## configuration file (uncommented).
>  #lxc.cgroup.devices.allow = b 7:* rwm
> -
> -# Blacklist some syscalls which are not safe in privileged
> -# containers
> -lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
> diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp
> deleted file mode 100644
> index e6650ef..0000000
> --- a/config/templates/ubuntu.priv.seccomp
> +++ /dev/null
> @@ -1,8 +0,0 @@
> -2
> -blacklist
> -[all]
> -kexec_load errno 1
> -open_by_handle_at errno 1
> -init_module errno 1
> -finit_module errno 1
> -delete_module errno 1
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index e25270c..0d73464 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf
>  # Extra fstab entries as mountall can't mount those by itself
>  lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
>  lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> -
> -# Default seccomp policy is not needed for unprivileged containers, and
> -# non-root users cannot use seccmp without NNP anyway.
> -lxc.seccomp =
> diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
> index 5dc19c7..2d9d7d5 100644
> --- a/config/templates/userns.conf.in
> +++ b/config/templates/userns.conf.in
> @@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
>  lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
>  lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
>  lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +
> +# Default seccomp policy is not needed for unprivileged containers, and
> +# non-root users cannot use seccmp without NNP anyway.
> +lxc.seccomp =
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list