[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default
Stéphane Graber
stgraber at ubuntu.com
Wed Jun 18 20:13:55 UTC 2014
On Wed, Jun 18, 2014 at 08:09:30PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > > not-docker-specific dockerinit mounts namespace escape).
> > >
> > > Note this *should* be safe for use by all other distros as well. I'm keeping
> > > the patch small here for review's sake, but if acked then we should also add
> > > it to all other templates.
> > >
> > > Note also that this is *still* only a sanity thing. A seccomp whitelist
> > > (as Kees points out :) would be far safer and future-proof.
> >
> > Could you confirm that this will do the right thing with mixed
> > amd64/i386 (32bit static binary running in 64bit container, 32bit
> > sub-container running inside 64bit container, ...)?
>
> Good point - seccomp breaks with 32-bit right now actually. We
> can specify per-arch syscalls in separate policy sections, but
> that doesn't suffice for a common config since currently lxc limits
> (with no good reason?) to no more than 2 such sections.
>
> So to support this I think I'll add a [all] architecture keyword
> which will apply to all natively supported personalities (amd64
> and i386 on amd64, i386 on i386, [arm] for arm - and guess
> arm64 is not yet supported in libseccomp?)
Sounds good, thanks!
>
> -serge
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140618/d883b5b4/attachment.sig>
More information about the lxc-devel
mailing list