[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

Wed Jun 18 19:50:03 UTC 2014

On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> not-docker-specific dockerinit mounts namespace escape).
> 
> Note this *should* be safe for use by all other distros as well.  I'm keeping
> the patch small here for review's sake, but if acked then we should also add
> it to all other templates.
> 
> Note also that this is *still* only a sanity thing.  A seccomp whitelist
> (as Kees points out :) would be far safer and future-proof.

Could you confirm that this will do the right thing with mixed
amd64/i386 (32bit static binary running in 64bit container, 32bit
sub-container running inside 64bit container, ...)?

Otherwise, I'm happy with that initial set. I don't think this is
Ubuntu-specific neither should it be, but maybe we should just let the
other template maintainers test and see if that works for them too
before making that shared by all containers.

I'll send a patch to move things around a bit in config/templates/* to
make adding config shared by all templates easier.

> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>  config/templates/Makefile.am           | 3 ++-
>  config/templates/ubuntu.common.conf.in | 4 ++++
>  config/templates/ubuntu.seccomp.priv   | 7 +++++++
>  config/templates/ubuntu.userns.conf.in | 3 +++
>  4 files changed, 16 insertions(+), 1 deletion(-)
>  create mode 100644 config/templates/ubuntu.seccomp.priv
> 
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 47969a9..12ce69d 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -19,4 +19,5 @@ templatesconfig_DATA = \
>  	ubuntu-cloud.userns.conf \
>  	ubuntu.common.conf \
>  	ubuntu.lucid.conf \
> -	ubuntu.userns.conf
> +	ubuntu.userns.conf \
> +	ubuntu.seccomp.priv

Nitpick but can we make that ubuntu.priv.seccomp instead? That'd be
slightly more in line with what's done for the other configs.

> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index 1ec323f..b0e85c0 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
>  ## To use loop devices, copy the following line to the container's
>  ## configuration file (uncommented).
>  #lxc.cgroup.devices.allow = b 7:* rwm
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = /usr/share/lxc/config/ubuntu.seccomp.priv

You probably want to use something relative to LXCTEMPLATECONFIG instead ^

> diff --git a/config/templates/ubuntu.seccomp.priv b/config/templates/ubuntu.seccomp.priv
> new file mode 100644
> index 0000000..018ad6f
> --- /dev/null
> +++ b/config/templates/ubuntu.seccomp.priv
> @@ -0,0 +1,7 @@
> +2
> +blacklist
> +kexec_load errno 1
> +open_by_handle_at errno 1
> +init_module errno 1
> +finit_module errno 1
> +delete_module errno 1
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index 5643744..96a4c0b 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -17,3 +17,6 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
>  # Extra fstab entries as mountall can't mount those by itself
>  lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
>  lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +
> +# Default seccomp policy is not needed for unprivileged containers.
> +lxc.seccomp =
> -- 
> 2.0.0

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140618/1f2222e3/attachment.sig>