[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

[Stéphane Graber]

On Wed, Jun 18, 2014 at 08:09:30PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > > not-docker-specific dockerinit mounts namespace escape).
> > > 
> > > Note this *should* be safe for use by all other distros as well.  I'm keeping
> > > the patch small here for review's sake, but if acked then we should also add
> > > it to all other templates.
> > > 
> > > Note also that this is *still* only a sanity thing.  A seccomp whitelist
> > > (as Kees points out :) would be far safer and future-proof.
> > 
> > Could you confirm that this will do the right thing with mixed
> > amd64/i386 (32bit static binary running in 64bit container, 32bit
> > sub-container running inside 64bit container, ...)?
> 
> Good point - seccomp breaks with 32-bit right now actually.  We
> can specify per-arch syscalls in separate policy sections, but
> that doesn't suffice for a common config since currently lxc limits
> (with no good reason?) to no more than 2 such sections.
> 
> So to support this I think I'll add a [all] architecture keyword
> which will apply to all natively supported personalities (amd64
> and i386 on amd64, i386 on i386, [arm] for arm - and  guess
> arm64 is not yet supported in libseccomp?)

Sounds good, thanks!

> 
> -serge
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140618/d883b5b4/attachment.sig>