[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

Robert Vogelgesang vogel at users.sourceforge.net
Fri Jun 20 10:19:29 UTC 2014


Hi Serge,

sorry for being late with this issue - we had a holiday here yesterday,
and I didn't read your mail until now.

On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> not-docker-specific dockerinit mounts namespace escape).
> 
> Note this *should* be safe for use by all other distros as well.  I'm keeping
> the patch small here for review's sake, but if acked then we should also add
> it to all other templates.

RHEL-6/CentOS-6 kernels have "# CONFIG_SECCOMP is not set" in their
configuration, so I guess you cannot use this feature for any container
running on these platforms.  I haven't checked RHEL-7 so far.

	Robert


> 
> Note also that this is *still* only a sanity thing.  A seccomp whitelist
> (as Kees points out :) would be far safer and future-proof.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>  config/templates/Makefile.am           | 3 ++-
>  config/templates/ubuntu.common.conf.in | 4 ++++
>  config/templates/ubuntu.seccomp.priv   | 7 +++++++
>  config/templates/ubuntu.userns.conf.in | 3 +++
>  4 files changed, 16 insertions(+), 1 deletion(-)
>  create mode 100644 config/templates/ubuntu.seccomp.priv
> 
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 47969a9..12ce69d 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -19,4 +19,5 @@ templatesconfig_DATA = \
>  	ubuntu-cloud.userns.conf \
>  	ubuntu.common.conf \
>  	ubuntu.lucid.conf \
> -	ubuntu.userns.conf
> +	ubuntu.userns.conf \
> +	ubuntu.seccomp.priv
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index 1ec323f..b0e85c0 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
>  ## To use loop devices, copy the following line to the container's
>  ## configuration file (uncommented).
>  #lxc.cgroup.devices.allow = b 7:* rwm
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = /usr/share/lxc/config/ubuntu.seccomp.priv
> diff --git a/config/templates/ubuntu.seccomp.priv b/config/templates/ubuntu.seccomp.priv
> new file mode 100644
> index 0000000..018ad6f
> --- /dev/null
> +++ b/config/templates/ubuntu.seccomp.priv
> @@ -0,0 +1,7 @@
> +2
> +blacklist
> +kexec_load errno 1
> +open_by_handle_at errno 1
> +init_module errno 1
> +finit_module errno 1
> +delete_module errno 1
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index 5643744..96a4c0b 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -17,3 +17,6 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
>  # Extra fstab entries as mountall can't mount those by itself
>  lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
>  lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +
> +# Default seccomp policy is not needed for unprivileged containers.
> +lxc.seccomp =
> -- 
> 2.0.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list