[lxc-devel] [PATCH 2/2] ubuntu containers: use a seccomp filter by default
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jun 20 17:00:36 UTC 2014
Quoting Robert Vogelgesang (vogel at users.sourceforge.net):
> Hi Serge,
>
> On Fri, Jun 20, 2014 at 02:56:12PM +0000, Serge Hallyn wrote:
> > Quoting Robert Vogelgesang (vogel at users.sourceforge.net):
> > > Hi Serge,
> > >
> > > sorry for being late with this issue - we had a holiday here yesterday,
> > > and I didn't read your mail until now.
> > >
> > > On Wed, Jun 18, 2014 at 07:39:07PM +0000, Serge Hallyn wrote:
> > > > Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> > > > not-docker-specific dockerinit mounts namespace escape).
> > > >
> > > > Note this *should* be safe for use by all other distros as well. I'm keeping
> > > > the patch small here for review's sake, but if acked then we should also add
> > > > it to all other templates.
> > >
> > > RHEL-6/CentOS-6 kernels have "# CONFIG_SECCOMP is not set" in their
> > > configuration, so I guess you cannot use this feature for any container
> > > running on these platforms. I haven't checked RHEL-7 so far.
> >
> > Ah, thanks - could you please on one of those systems
> >
> > 1. show the result of 'grep Seccomp /proc/self/status'
>
> the result is empty, i. e. nothing is found.
Ok, unprivileged users shouldnt be able to mess with that so perhaps
we'll just disable all seccomp handling if no Seccomp line is found.
Thanks.
-serge
More information about the lxc-devel
mailing list