[lxc-devel] [lxd/master] seccomp: block new mount API when mount interception is requested

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 523 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191125/e00be401/attachment.bin>
-------------- next part --------------
From d27a3da74e81f30bf127999f4d984d2c216624e2 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 25 Nov 2019 14:47:19 +0100
Subject: [PATCH] seccomp: block new mount API when mount interception is
 requested

The mount interception is requested we need to block the new mount API since it
keeps in-kernel state across multiple and an arbitrary number of syscalls.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/seccomp/seccomp.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index ddd5ae4bef..0197032b04 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -282,6 +282,15 @@ mknodat notify [2,24576,SCMP_CMP_MASKED_EQ,61440]
 const seccompNotifySetxattr = `setxattr notify [3,1,SCMP_CMP_EQ]
 `
 
+const seccompBlockNewMountApi = `fsopen errno 38
+fsconfig errno 38
+fsinfo errno 38
+fsmount errno 38
+fspick errno 38
+open_tree errno 38
+move_mount errno 38
+`
+
 // We don't want to filter any of the following flag combinations since they do
 // not cause the creation of a new superblock:
 //
@@ -500,6 +509,10 @@ func seccompGetPolicyContent(c Instance) (string, error) {
 
 		if shared.IsTrue(config["security.syscalls.intercept.mount"]) {
 			policy += seccompNotifyMount
+			// We can't handle the new mount API since it keeps
+			// in-kernel state across an arbitrary number of
+			// multiple syscalls.
+			policy += seccompBlockNewMountApi
 		}
 	}