This updates the common config to include Serge's seccomp profile by default for privileged containers.
Signed-off-by: Stéphane Graber <[email protected]> --- config/templates/Makefile.am | 4 ++-- config/templates/common.conf.in | 4 ++++ config/templates/common.seccomp | 8 ++++++++ config/templates/ubuntu.common.conf.in | 4 ---- config/templates/ubuntu.priv.seccomp | 8 -------- config/templates/ubuntu.userns.conf.in | 4 ---- config/templates/userns.conf.in | 4 ++++ 7 files changed, 18 insertions(+), 18 deletions(-) create mode 100644 config/templates/common.seccomp delete mode 100644 config/templates/ubuntu.priv.seccomp diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index 61b4b45..82ca8be 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -1,6 +1,6 @@ templatesconfigdir=@LXCTEMPLATECONFIG@ -EXTRA_DIST = ubuntu.priv.seccomp +EXTRA_DIST = common.seccomp templatesconfig_DATA = \ archlinux.common.conf \ @@ -8,6 +8,7 @@ templatesconfig_DATA = \ centos.common.conf \ centos.userns.conf \ common.conf \ + common.seccomp \ debian.common.conf \ debian.userns.conf \ fedora.common.conf \ @@ -26,6 +27,5 @@ templatesconfig_DATA = \ ubuntu-cloud.userns.conf \ ubuntu.common.conf \ ubuntu.lucid.conf \ - ubuntu.priv.seccomp \ ubuntu.userns.conf \ userns.conf diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in index 1616b4f..b15b5fa 100644 --- a/config/templates/common.conf.in +++ b/config/templates/common.conf.in @@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* + +# Blacklist some syscalls which are not safe in privileged +# containers +lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp new file mode 100644 index 0000000..e6650ef --- /dev/null +++ b/config/templates/common.seccomp @@ -0,0 +1,8 @@ +2 +blacklist +[all] +kexec_load errno 1 +open_by_handle_at errno 1 +init_module errno 1 +finit_module errno 1 +delete_module errno 1 diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index ee008e2..631b4bb 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm ## To use loop devices, copy the following line to the container's ## configuration file (uncommented). #lxc.cgroup.devices.allow = b 7:* rwm - -# Blacklist some syscalls which are not safe in privileged -# containers -lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp deleted file mode 100644 index e6650ef..0000000 --- a/config/templates/ubuntu.priv.seccomp +++ /dev/null @@ -1,8 +0,0 @@ -2 -blacklist -[all] -kexec_load errno 1 -open_by_handle_at errno 1 -init_module errno 1 -finit_module errno 1 -delete_module errno 1 diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in index e25270c..0d73464 100644 --- a/config/templates/ubuntu.userns.conf.in +++ b/config/templates/ubuntu.userns.conf.in @@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in index 5dc19c7..2d9d7d5 100644 --- a/config/templates/userns.conf.in +++ b/config/templates/userns.conf.in @@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 + +# Default seccomp policy is not needed for unprivileged containers, and +# non-root users cannot use seccmp without NNP anyway. +lxc.seccomp = -- 1.9.1 _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
