[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jun 20 14:56:12 UTC 2014
Quoting Robert Vogelgesang (vogel at users.sourceforge.net):
> Hi Serge,
>
> sorry for being late with this issue - we had a holiday here yesterday,
> and I didn't read your mail until now.
>
> On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > not-docker-specific dockerinit mounts namespace escape).
> >
> > Note this *should* be safe for use by all other distros as well. I'm keeping
> > the patch small here for review's sake, but if acked then we should also add
> > it to all other templates.
>
> RHEL-6/CentOS-6 kernels have "# CONFIG_SECCOMP is not set" in their
> configuration, so I guess you cannot use this feature for any container
> running on these platforms. I haven't checked RHEL-7 so far.
Ah, thanks - could you please on one of those systems
1. show the result of 'grep Seccomp /proc/self/status'
2. build the following program with
=====================================================
#include <stdio.h>
#include <seccomp.h>
#include <unistd.h>
int main()
{
int ret;
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
seccomp_syscall_resolve_name("delete_module"), 0);
ret = seccomp_load(ctx);
printf("seccomp_load returned %d\n", ret);
exit(0);
}
=====================================================
gcc -o seccomp seccomp.c -lseccomp
then show the result of
./seccomp
? I'd like to see the return value of seccomp_load().
It will probably return ENOSYS...
thanks,
-serge
More information about the lxc-devel
mailing list