[lxc-devel] [PATCH 1/1] ubuntu containers: use a seccomp filter by default (v2)
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jun 20 20:40:42 UTC 2014
Blacklist module loading, kexec, and open_by_handle_at (the cause of the
not-docker-specific dockerinit mounts namespace escape).
This should be applied to all arches, but iiuc stgraber will be doing
some reworking of the commonizations which will simplify that, so I'm
not doing it here.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/templates/Makefile.am | 3 ++-
config/templates/ubuntu.common.conf.in | 4 ++++
config/templates/ubuntu.priv.seccomp | 8 ++++++++
config/templates/ubuntu.userns.conf.in | 4 ++++
4 files changed, 18 insertions(+), 1 deletion(-)
create mode 100644 config/templates/ubuntu.priv.seccomp
diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index d0b1c87..dec62d9 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -21,4 +21,5 @@ templatesconfig_DATA = \
ubuntu-cloud.userns.conf \
ubuntu.common.conf \
ubuntu.lucid.conf \
- ubuntu.userns.conf
+ ubuntu.userns.conf \
+ ubuntu.priv.seccomp
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 1ec323f..a61ed79 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp
new file mode 100644
index 0000000..e6650ef
--- /dev/null
+++ b/config/templates/ubuntu.priv.seccomp
@@ -0,0 +1,8 @@
+2
+blacklist
+[all]
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index 5643744..c744b1d 100644
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
--
2.0.0
More information about the lxc-devel
mailing list