On Fri, Jun 20, 2014 at 03:40:42PM -0500, Serge Hallyn wrote: > Blacklist module loading, kexec, and open_by_handle_at (the cause of the > not-docker-specific dockerinit mounts namespace escape). > > This should be applied to all arches, but iiuc stgraber will be doing > some reworking of the commonizations which will simplify that, so I'm > not doing it here. > > Signed-off-by: Serge Hallyn <[email protected]>
Acked-by: Stéphane Graber <[email protected]> > --- > config/templates/Makefile.am | 3 ++- > config/templates/ubuntu.common.conf.in | 4 ++++ > config/templates/ubuntu.priv.seccomp | 8 ++++++++ > config/templates/ubuntu.userns.conf.in | 4 ++++ > 4 files changed, 18 insertions(+), 1 deletion(-) > create mode 100644 config/templates/ubuntu.priv.seccomp > > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am > index d0b1c87..dec62d9 100644 > --- a/config/templates/Makefile.am > +++ b/config/templates/Makefile.am > @@ -21,4 +21,5 @@ templatesconfig_DATA = \ > ubuntu-cloud.userns.conf \ > ubuntu.common.conf \ > ubuntu.lucid.conf \ > - ubuntu.userns.conf > + ubuntu.userns.conf \ > + ubuntu.priv.seccomp > diff --git a/config/templates/ubuntu.common.conf.in > b/config/templates/ubuntu.common.conf.in > index 1ec323f..a61ed79 100644 > --- a/config/templates/ubuntu.common.conf.in > +++ b/config/templates/ubuntu.common.conf.in > @@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm > ## To use loop devices, copy the following line to the container's > ## configuration file (uncommented). > #lxc.cgroup.devices.allow = b 7:* rwm > + > +# Blacklist some syscalls which are not safe in privileged > +# containers > +lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp > diff --git a/config/templates/ubuntu.priv.seccomp > b/config/templates/ubuntu.priv.seccomp > new file mode 100644 > index 0000000..e6650ef > --- /dev/null > +++ b/config/templates/ubuntu.priv.seccomp > @@ -0,0 +1,8 @@ > +2 > +blacklist > +[all] > +kexec_load errno 1 > +open_by_handle_at errno 1 > +init_module errno 1 > +finit_module errno 1 > +delete_module errno 1 > diff --git a/config/templates/ubuntu.userns.conf.in > b/config/templates/ubuntu.userns.conf.in > index 5643744..c744b1d 100644 > --- a/config/templates/ubuntu.userns.conf.in > +++ b/config/templates/ubuntu.userns.conf.in > @@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file > 0 0 > # Extra fstab entries as mountall can't mount those by itself > lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > + > +# Default seccomp policy is not needed for unprivileged containers, and > +# non-root users cannot use seccmp without NNP anyway. > +lxc.seccomp = > -- > 2.0.0 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
