[lxc-devel] [PATCH] Enable default seccomp profile for all distros
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jul 2 03:37:02 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> This updates the common config to include Serge's seccomp profile by
> default for privileged containers.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/templates/Makefile.am | 4 ++--
> config/templates/common.conf.in | 4 ++++
> config/templates/common.seccomp | 8 ++++++++
> config/templates/ubuntu.common.conf.in | 4 ----
> config/templates/ubuntu.priv.seccomp | 8 --------
> config/templates/ubuntu.userns.conf.in | 4 ----
> config/templates/userns.conf.in | 4 ++++
> 7 files changed, 18 insertions(+), 18 deletions(-)
> create mode 100644 config/templates/common.seccomp
> delete mode 100644 config/templates/ubuntu.priv.seccomp
>
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 61b4b45..82ca8be 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -1,6 +1,6 @@
> templatesconfigdir=@LXCTEMPLATECONFIG@
>
> -EXTRA_DIST = ubuntu.priv.seccomp
> +EXTRA_DIST = common.seccomp
>
> templatesconfig_DATA = \
> archlinux.common.conf \
> @@ -8,6 +8,7 @@ templatesconfig_DATA = \
> centos.common.conf \
> centos.userns.conf \
> common.conf \
> + common.seccomp \
> debian.common.conf \
> debian.userns.conf \
> fedora.common.conf \
> @@ -26,6 +27,5 @@ templatesconfig_DATA = \
> ubuntu-cloud.userns.conf \
> ubuntu.common.conf \
> ubuntu.lucid.conf \
> - ubuntu.priv.seccomp \
> ubuntu.userns.conf \
> userns.conf
> diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
> index 1616b4f..b15b5fa 100644
> --- a/config/templates/common.conf.in
> +++ b/config/templates/common.conf.in
> @@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx
> lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random
> lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/*
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
> diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
> new file mode 100644
> index 0000000..e6650ef
> --- /dev/null
> +++ b/config/templates/common.seccomp
> @@ -0,0 +1,8 @@
> +2
> +blacklist
> +[all]
> +kexec_load errno 1
> +open_by_handle_at errno 1
> +init_module errno 1
> +finit_module errno 1
> +delete_module errno 1
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index ee008e2..631b4bb 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm
> ## To use loop devices, copy the following line to the container's
> ## configuration file (uncommented).
> #lxc.cgroup.devices.allow = b 7:* rwm
> -
> -# Blacklist some syscalls which are not safe in privileged
> -# containers
> -lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
> diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp
> deleted file mode 100644
> index e6650ef..0000000
> --- a/config/templates/ubuntu.priv.seccomp
> +++ /dev/null
> @@ -1,8 +0,0 @@
> -2
> -blacklist
> -[all]
> -kexec_load errno 1
> -open_by_handle_at errno 1
> -init_module errno 1
> -finit_module errno 1
> -delete_module errno 1
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index e25270c..0d73464 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf
> # Extra fstab entries as mountall can't mount those by itself
> lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> -
> -# Default seccomp policy is not needed for unprivileged containers, and
> -# non-root users cannot use seccmp without NNP anyway.
> -lxc.seccomp =
> diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
> index 5dc19c7..2d9d7d5 100644
> --- a/config/templates/userns.conf.in
> +++ b/config/templates/userns.conf.in
> @@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
> lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
> lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> +
> +# Default seccomp policy is not needed for unprivileged containers, and
> +# non-root users cannot use seccmp without NNP anyway.
> +lxc.seccomp =
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list