If a container has a bind mount from a host nfs or fuse filesystem, and does 'umount -f', it will disconnect the host's filesystem. This patch adds a seccomp rule to block umount -f from a container. It also adds that rule to the default seccomp profile.
Thanks stgraber for the idea :) Signed-off-by: Serge Hallyn <[email protected]> --- config/templates/common.seccomp | 1 + src/lxc/seccomp.c | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp index e6650ef..6f8eeba 100644 --- a/config/templates/common.seccomp +++ b/config/templates/common.seccomp @@ -1,5 +1,6 @@ 2 blacklist +reject_force_umount # comment this to allow umount -f; not recommended [all] kexec_load errno 1 open_by_handle_at errno 1 diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index dfdedf2..825d8a1 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -28,6 +28,7 @@ #include <errno.h> #include <seccomp.h> #include <sys/utsname.h> +#include <sys/mount.h> #include "config.h" #include "lxcseccomp.h" @@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch); return false; } + + if (strncmp(line, "reject_force_umount", 19) == 0) { + INFO("Setting seccomp rule to reject force umounts\n"); + ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2), + 1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE )); + if (ret < 0) { + ERROR("failed (%d) loading rule to reject force umount", ret); + return false; + } + return true; + } + nr = seccomp_syscall_resolve_name(line); if (nr == __NR_SCMP_ERROR) { WARN("Seccomp: failed to resolve syscall: %s", line); @@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) goto bad; } } + return 0; bad_arch: -- 2.1.0 _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
