[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jun 18 20:09:30 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > not-docker-specific dockerinit mounts namespace escape).
> > 
> > Note this *should* be safe for use by all other distros as well.  I'm keeping
> > the patch small here for review's sake, but if acked then we should also add
> > it to all other templates.
> > 
> > Note also that this is *still* only a sanity thing.  A seccomp whitelist
> > (as Kees points out :) would be far safer and future-proof.
> 
> Could you confirm that this will do the right thing with mixed
> amd64/i386 (32bit static binary running in 64bit container, 32bit
> sub-container running inside 64bit container, ...)?

Good point - seccomp breaks with 32-bit right now actually.  We
can specify per-arch syscalls in separate policy sections, but
that doesn't suffice for a common config since currently lxc limits
(with no good reason?) to no more than 2 such sections.

So to support this I think I'll add a [all] architecture keyword
which will apply to all natively supported personalities (amd64
and i386 on amd64, i386 on i386, [arm] for arm - and  guess
arm64 is not yet supported in libseccomp?)

-serge


More information about the lxc-devel mailing list