[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jun 18 19:39:07 UTC 2014


Blacklist module loading, kexec, and open_by_handle_at (the cause of the
not-docker-specific dockerinit mounts namespace escape).

Note this *should* be safe for use by all other distros as well.  I'm keeping
the patch small here for review's sake, but if acked then we should also add
it to all other templates.

Note also that this is *still* only a sanity thing.  A seccomp whitelist
(as Kees points out :) would be far safer and future-proof.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/templates/Makefile.am           | 3 ++-
 config/templates/ubuntu.common.conf.in | 4 ++++
 config/templates/ubuntu.seccomp.priv   | 7 +++++++
 config/templates/ubuntu.userns.conf.in | 3 +++
 4 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 config/templates/ubuntu.seccomp.priv

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 47969a9..12ce69d 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -19,4 +19,5 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
-	ubuntu.userns.conf
+	ubuntu.userns.conf \
+	ubuntu.seccomp.priv
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 1ec323f..b0e85c0 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = /usr/share/lxc/config/ubuntu.seccomp.priv
diff --git a/config/templates/ubuntu.seccomp.priv b/config/templates/ubuntu.seccomp.priv
new file mode 100644
index 0000000..018ad6f
--- /dev/null
+++ b/config/templates/ubuntu.seccomp.priv
@@ -0,0 +1,7 @@
+2
+blacklist
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index 5643744..96a4c0b 100644
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -17,3 +17,6 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers.
+lxc.seccomp =
-- 
2.0.0



More information about the lxc-devel mailing list