[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default
Robert Vogelgesang
vogel at users.sourceforge.net
Fri Jun 20 10:19:29 UTC 2014
Hi Serge,
sorry for being late with this issue - we had a holiday here yesterday,
and I didn't read your mail until now.
On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> not-docker-specific dockerinit mounts namespace escape).
>
> Note this *should* be safe for use by all other distros as well. I'm keeping
> the patch small here for review's sake, but if acked then we should also add
> it to all other templates.
RHEL-6/CentOS-6 kernels have "# CONFIG_SECCOMP is not set" in their
configuration, so I guess you cannot use this feature for any container
running on these platforms. I haven't checked RHEL-7 so far.
Robert
>
> Note also that this is *still* only a sanity thing. A seccomp whitelist
> (as Kees points out :) would be far safer and future-proof.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/templates/Makefile.am | 3 ++-
> config/templates/ubuntu.common.conf.in | 4 ++++
> config/templates/ubuntu.seccomp.priv | 7 +++++++
> config/templates/ubuntu.userns.conf.in | 3 +++
> 4 files changed, 16 insertions(+), 1 deletion(-)
> create mode 100644 config/templates/ubuntu.seccomp.priv
>
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 47969a9..12ce69d 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -19,4 +19,5 @@ templatesconfig_DATA = \
> ubuntu-cloud.userns.conf \
> ubuntu.common.conf \
> ubuntu.lucid.conf \
> - ubuntu.userns.conf
> + ubuntu.userns.conf \
> + ubuntu.seccomp.priv
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index 1ec323f..b0e85c0 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
> ## To use loop devices, copy the following line to the container's
> ## configuration file (uncommented).
> #lxc.cgroup.devices.allow = b 7:* rwm
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = /usr/share/lxc/config/ubuntu.seccomp.priv
> diff --git a/config/templates/ubuntu.seccomp.priv b/config/templates/ubuntu.seccomp.priv
> new file mode 100644
> index 0000000..018ad6f
> --- /dev/null
> +++ b/config/templates/ubuntu.seccomp.priv
> @@ -0,0 +1,7 @@
> +2
> +blacklist
> +kexec_load errno 1
> +open_by_handle_at errno 1
> +init_module errno 1
> +finit_module errno 1
> +delete_module errno 1
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index 5643744..96a4c0b 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -17,3 +17,6 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
> # Extra fstab entries as mountall can't mount those by itself
> lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
> lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +
> +# Default seccomp policy is not needed for unprivileged containers.
> +lxc.seccomp =
> --
> 2.0.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list