[lxc-users] How to disable 32bit emulation within a 64bit container
Boyok Mad
boyokmard at gmail.com
Sun May 10 23:17:43 UTC 2015
I think I managed to do it by using a seccomp profile. syscalls for a 32bit
emulated binary have a different system call numbers and they are rejected.
"... Also, as things are today, if your host is 64bit and you load a
seccomp policy file, all 32bit syscalls will be rejected. ..." -
https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/
add the following to the container config file (per instruction at
https://github.com/lxc/lxc):
lxc.seccomp = /var/lib/lxc/q1/seccomp.full
and create a seccomp.full file through:
cat > seccomp.full << EOF
1
whitelist
EOF
for i in `seq 0 300`; do
echo $i >> seccomp.full
done
for i in `seq 1024 1079`; do
echo $i >> seccomp.full
done
On Mon, May 11, 2015 at 6:13 AM, Michael H. Warfield <mhw at wittsend.com>
wrote:
> On Sun, 2015-05-10 at 11:08 -0400, Stéphane Graber wrote:
> > On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote:
> > > On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote:
> > > > Hi
> > > >
> > > >
> > > > I want to disable 32bit emulation within my ubuntu container. I think
> > > > this can be achieved by setting seccomp filter or cap.drop config (I
> > > > may be wrong as I am very new to both of features)
> > > >
> https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
> > >
> > > I don't believe that is even conceptually possible. The 64 bit x86
> > > instruction set is an inclusive superset of the 32 bit instruction set.
> > > Any 32 bit assembly language instruction will run on a 64 bit CPU.
> > > That's the very nature of "backward compatibility" in the CPU
> > > architecture. The 32 bit instructions are not being emulated at all.
> > > They run native on the iron.
>
> > You can however use seccomp to block all 32bit syscalls.
>
> True. Syscalls are a horse of a different color since that's OS based
> not CPU based. Still, its not an emulation as the OP seem to be
> implying.
>
> > > > Is it possible to disable specific system calls to disallow a
> > > > container run any 32bit executable? if so, how the seccom/cap.drop
> > > > config should look like? if not, is there anyway to disable 32bit
> > > > emulation within a lxc container?
> > > >
> > > >
> > > > P.S. I tried removing support for i386 packages within a container,
> > > > but it still runs 32bit binaries.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Boy
> > >
> > > Regards,
> > > Mike
> > > --
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> > > /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> > > NIC whois: MHW9 | An optimist believes we live in the best
> of all
> > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of
> it!
> > >
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150511/f7baa124/attachment.html>
More information about the lxc-users
mailing list