Quoting Stéphane Graber ([email protected]): > This updates the common config to include Serge's seccomp profile by > default for privileged containers. > > Signed-off-by: Stéphane Graber <[email protected]>
Acked-by: Serge E. Hallyn <[email protected]> > --- > config/templates/Makefile.am | 4 ++-- > config/templates/common.conf.in | 4 ++++ > config/templates/common.seccomp | 8 ++++++++ > config/templates/ubuntu.common.conf.in | 4 ---- > config/templates/ubuntu.priv.seccomp | 8 -------- > config/templates/ubuntu.userns.conf.in | 4 ---- > config/templates/userns.conf.in | 4 ++++ > 7 files changed, 18 insertions(+), 18 deletions(-) > create mode 100644 config/templates/common.seccomp > delete mode 100644 config/templates/ubuntu.priv.seccomp > > diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am > index 61b4b45..82ca8be 100644 > --- a/config/templates/Makefile.am > +++ b/config/templates/Makefile.am > @@ -1,6 +1,6 @@ > templatesconfigdir=@LXCTEMPLATECONFIG@ > > -EXTRA_DIST = ubuntu.priv.seccomp > +EXTRA_DIST = common.seccomp > > templatesconfig_DATA = \ > archlinux.common.conf \ > @@ -8,6 +8,7 @@ templatesconfig_DATA = \ > centos.common.conf \ > centos.userns.conf \ > common.conf \ > + common.seccomp \ > debian.common.conf \ > debian.userns.conf \ > fedora.common.conf \ > @@ -26,6 +27,5 @@ templatesconfig_DATA = \ > ubuntu-cloud.userns.conf \ > ubuntu.common.conf \ > ubuntu.lucid.conf \ > - ubuntu.priv.seccomp \ > ubuntu.userns.conf \ > userns.conf > diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in > index 1616b4f..b15b5fa 100644 > --- a/config/templates/common.conf.in > +++ b/config/templates/common.conf.in > @@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx > lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random > lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* > + > +# Blacklist some syscalls which are not safe in privileged > +# containers > +lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp > diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp > new file mode 100644 > index 0000000..e6650ef > --- /dev/null > +++ b/config/templates/common.seccomp > @@ -0,0 +1,8 @@ > +2 > +blacklist > +[all] > +kexec_load errno 1 > +open_by_handle_at errno 1 > +init_module errno 1 > +finit_module errno 1 > +delete_module errno 1 > diff --git a/config/templates/ubuntu.common.conf.in > b/config/templates/ubuntu.common.conf.in > index ee008e2..631b4bb 100644 > --- a/config/templates/ubuntu.common.conf.in > +++ b/config/templates/ubuntu.common.conf.in > @@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm > ## To use loop devices, copy the following line to the container's > ## configuration file (uncommented). > #lxc.cgroup.devices.allow = b 7:* rwm > - > -# Blacklist some syscalls which are not safe in privileged > -# containers > -lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp > diff --git a/config/templates/ubuntu.priv.seccomp > b/config/templates/ubuntu.priv.seccomp > deleted file mode 100644 > index e6650ef..0000000 > --- a/config/templates/ubuntu.priv.seccomp > +++ /dev/null > @@ -1,8 +0,0 @@ > -2 > -blacklist > -[all] > -kexec_load errno 1 > -open_by_handle_at errno 1 > -init_module errno 1 > -finit_module errno 1 > -delete_module errno 1 > diff --git a/config/templates/ubuntu.userns.conf.in > b/config/templates/ubuntu.userns.conf.in > index e25270c..0d73464 100644 > --- a/config/templates/ubuntu.userns.conf.in > +++ b/config/templates/ubuntu.userns.conf.in > @@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf > # Extra fstab entries as mountall can't mount those by itself > lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none > bind,optional 0 0 > lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none > bind,optional 0 0 > - > -# Default seccomp policy is not needed for unprivileged containers, and > -# non-root users cannot use seccmp without NNP anyway. > -lxc.seccomp = > diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in > index 5dc19c7..2d9d7d5 100644 > --- a/config/templates/userns.conf.in > +++ b/config/templates/userns.conf.in > @@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none > bind,create=file 0 0 > lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 > lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 > lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 > + > +# Default seccomp policy is not needed for unprivileged containers, and > +# non-root users cannot use seccmp without NNP anyway. > +lxc.seccomp = > -- > 1.9.1 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
