[lxc-devel] [lxd/master] seccomp: protect against syscall supervision override
brauner on Github
lxc-bot at linuxcontainers.org
Tue Oct 22 23:02:04 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191022/47ce41a0/attachment.bin>
-------------- next part --------------
From 543f021101c6fe5aad6b2b0e207da0dac8167852 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 23 Oct 2019 01:00:46 +0200
Subject: [PATCH] seccomp: protect against syscall supervision override
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/seccomp/seccomp.go | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 9c00e2eaac..b194868e56 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -261,6 +261,9 @@ init_module errno 38
finit_module errno 38
delete_module errno 38
`
+const seccompNotifyDisallow = `seccomp errno 22 [1,2146435072,SCMP_CMP_MASKED_EQ,2146435072]
+seccomp errno 22 [1,8,SCMP_CMP_MASKED_EQ,8]
+`
const seccompNotifyMknod = `mknod notify [1,8192,SCMP_CMP_MASKED_EQ,61440]
mknod notify [1,24576,SCMP_CMP_MASKED_EQ,61440]
@@ -447,6 +450,10 @@ func seccompGetPolicyContent(c Instance) (string, error) {
if shared.IsTrue(config["security.syscalls.intercept.setxattr"]) {
policy += seccompNotifySetxattr
}
+
+ // Prevent the container from overriding our syscall
+ // supervision.
+ policy += seccompNotifyDisallow
}
if whitelist != "" {
More information about the lxc-devel
mailing list