[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

Serge Hallyn serge.hallyn at ubuntu.com
Fri Jun 20 14:56:12 UTC 2014


Quoting Robert Vogelgesang (vogel at users.sourceforge.net):
> Hi Serge,
> 
> sorry for being late with this issue - we had a holiday here yesterday,
> and I didn't read your mail until now.
> 
> On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > not-docker-specific dockerinit mounts namespace escape).
> > 
> > Note this *should* be safe for use by all other distros as well.  I'm keeping
> > the patch small here for review's sake, but if acked then we should also add
> > it to all other templates.
> 
> RHEL-6/CentOS-6 kernels have "# CONFIG_SECCOMP is not set" in their
> configuration, so I guess you cannot use this feature for any container
> running on these platforms.  I haven't checked RHEL-7 so far.

Ah, thanks - could you please on one of those systems

1. show the result of 'grep Seccomp /proc/self/status'

2. build the following program with

=====================================================
#include <stdio.h>
#include <seccomp.h>
#include <unistd.h>

int main()
{
        int ret;

        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);

        seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
        ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
                        seccomp_syscall_resolve_name("delete_module"), 0);

        ret = seccomp_load(ctx);
        printf("seccomp_load returned %d\n", ret);
	exit(0);
}
=====================================================

	gcc -o seccomp seccomp.c -lseccomp
   then show the result of
	./seccomp
   ?  I'd like to see the return value of seccomp_load().
   It will probably return ENOSYS...

thanks,
-serge


More information about the lxc-devel mailing list