[lxc-users] How to disable 32bit emulation within a 64bit container

Boyok Mad boyokmard at gmail.com
Sun May 10 23:17:43 UTC 2015


I think I managed to do it by using a seccomp profile. syscalls for a 32bit
emulated binary have a different system call numbers and they are rejected.

"... Also, as things are today, if your host is 64bit and you load a
seccomp policy file, all 32bit syscalls will be rejected. ..." -
https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/

add the following to the container config file (per instruction at
https://github.com/lxc/lxc):

lxc.seccomp = /var/lib/lxc/q1/seccomp.full

and create a seccomp.full file through:

cat > seccomp.full << EOF
1
whitelist
EOF
for i in `seq 0 300`; do
    echo $i >> seccomp.full
done
for i in `seq 1024 1079`; do
    echo $i >> seccomp.full
done





On Mon, May 11, 2015 at 6:13 AM, Michael H. Warfield <mhw at wittsend.com>
wrote:

> On Sun, 2015-05-10 at 11:08 -0400, Stéphane Graber wrote:
> > On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote:
> > > On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote:
> > > > Hi
> > > >
> > > >
> > > > I want to disable 32bit emulation within my ubuntu container. I think
> > > > this can be achieved by setting seccomp filter or cap.drop config (I
> > > > may be wrong as I am very new to both of features)
> > > >
> https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
> > >
> > > I don't believe that is even conceptually possible.  The 64 bit x86
> > > instruction set is an inclusive superset of the 32 bit instruction set.
> > > Any 32 bit assembly language instruction will run on a 64 bit CPU.
> > > That's the very nature of "backward compatibility" in the CPU
> > > architecture.  The 32 bit instructions are not being emulated at all.
> > > They run native on the iron.
>
> > You can however use seccomp to block all 32bit syscalls.
>
> True.  Syscalls are a horse of a different color since that's OS based
> not CPU based.  Still, its not an emulation as the OP seem to be
> implying.
>
> > > > Is it possible to disable specific system calls to disallow a
> > > > container run any 32bit executable? if so, how the seccom/cap.drop
> > > > config should look like? if not, is there anyway to disable 32bit
> > > > emulation within a lxc container?
> > > >
> > > >
> > > > P.S. I tried removing support for i386 packages within a container,
> > > > but it still runs 32bit binaries.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Boy
> > >
> > > Regards,
> > > Mike
> > > --
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> > >    NIC whois: MHW9          | An optimist believes we live in the best
> of all
> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of
> it!
> > >
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150511/f7baa124/attachment.html>


More information about the lxc-users mailing list