[lxc-devel] [PATCH 1/1] ubuntu containers: use a seccomp filter by default (v2)

Stéphane Graber stgraber at ubuntu.com
Fri Jun 20 21:36:31 UTC 2014


On Fri, Jun 20, 2014 at 03:40:42PM -0500, Serge Hallyn wrote:
> Blacklist module loading, kexec, and open_by_handle_at (the cause of the
> not-docker-specific dockerinit mounts namespace escape).
> 
> This should be applied to all arches, but iiuc stgraber will be doing
> some reworking of the commonizations which will simplify that, so I'm
> not doing it here.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  config/templates/Makefile.am           | 3 ++-
>  config/templates/ubuntu.common.conf.in | 4 ++++
>  config/templates/ubuntu.priv.seccomp   | 8 ++++++++
>  config/templates/ubuntu.userns.conf.in | 4 ++++
>  4 files changed, 18 insertions(+), 1 deletion(-)
>  create mode 100644 config/templates/ubuntu.priv.seccomp
> 
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index d0b1c87..dec62d9 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -21,4 +21,5 @@ templatesconfig_DATA = \
>  	ubuntu-cloud.userns.conf \
>  	ubuntu.common.conf \
>  	ubuntu.lucid.conf \
> -	ubuntu.userns.conf
> +	ubuntu.userns.conf \
> +	ubuntu.priv.seccomp
> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> index 1ec323f..a61ed79 100644
> --- a/config/templates/ubuntu.common.conf.in
> +++ b/config/templates/ubuntu.common.conf.in
> @@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
>  ## To use loop devices, copy the following line to the container's
>  ## configuration file (uncommented).
>  #lxc.cgroup.devices.allow = b 7:* rwm
> +
> +# Blacklist some syscalls which are not safe in privileged
> +# containers
> +lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
> diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp
> new file mode 100644
> index 0000000..e6650ef
> --- /dev/null
> +++ b/config/templates/ubuntu.priv.seccomp
> @@ -0,0 +1,8 @@
> +2
> +blacklist
> +[all]
> +kexec_load errno 1
> +open_by_handle_at errno 1
> +init_module errno 1
> +finit_module errno 1
> +delete_module errno 1
> diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
> index 5643744..c744b1d 100644
> --- a/config/templates/ubuntu.userns.conf.in
> +++ b/config/templates/ubuntu.userns.conf.in
> @@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
>  # Extra fstab entries as mountall can't mount those by itself
>  lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
>  lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
> +
> +# Default seccomp policy is not needed for unprivileged containers, and
> +# non-root users cannot use seccmp without NNP anyway.
> +lxc.seccomp =
> -- 
> 2.0.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140620/6581a7dc/attachment.sig>


More information about the lxc-devel mailing list