[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default

Robert Vogelgesang vogel at users.sourceforge.net
Fri Jun 20 16:24:26 UTC 2014


Hi Serge,

On Fri, Jun 20, 2014 at 02:56:12PM +0000, Serge Hallyn wrote:
> Quoting Robert Vogelgesang (vogel at users.sourceforge.net):
> > Hi Serge,
> > 
> > sorry for being late with this issue - we had a holiday here yesterday,
> > and I didn't read your mail until now.
> > 
> > On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > > not-docker-specific dockerinit mounts namespace escape).
> > > 
> > > Note this *should* be safe for use by all other distros as well.  I'm keeping
> > > the patch small here for review's sake, but if acked then we should also add
> > > it to all other templates.
> > 
> > RHEL-6/CentOS-6 kernels have "# CONFIG_SECCOMP is not set" in their
> > configuration, so I guess you cannot use this feature for any container
> > running on these platforms.  I haven't checked RHEL-7 so far.
> 
> Ah, thanks - could you please on one of those systems
> 
> 1. show the result of 'grep Seccomp /proc/self/status'

the result is empty, i. e. nothing is found.


> 
> 2. build the following program with
> 
> =====================================================
> #include <stdio.h>
> #include <seccomp.h>

Under a current RHEL-6.5, the compiler fails on this line, seccomp.h
is not available.  libseccomp isn't available either.

And EPEL, too, does not provide libseccomp or any seccomp tools, most
problably because there is no kernel support in RHEL-6.

The Fedora Package Database (https://admin.fedoraproject.org/pkgdb)
finds "libseccomp" only for Fedora 18 and newer.

RHEL-7 seems to have libseccomp-2.1.1-2.el7 judging from what can be
seen in this page: https://git.centos.org/summary/rpms!libseccomp

I still don't have a RHEL-7 machine, so I cannot really check - sorry.

	Robert


> #include <unistd.h>
> 
> int main()
> {
>         int ret;
> 
>         scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
> 
>         seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
>         ret = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1),
>                         seccomp_syscall_resolve_name("delete_module"), 0);
> 
>         ret = seccomp_load(ctx);
>         printf("seccomp_load returned %d\n", ret);
> 	exit(0);
> }
> =====================================================
> 
> 	gcc -o seccomp seccomp.c -lseccomp
>    then show the result of
> 	./seccomp
>    ?  I'd like to see the return value of seccomp_load().
>    It will probably return ENOSYS...
> 
> thanks,
> -serge
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list