On Fri, Dec 19, 2014 at 06:22:55PM +0000, Serge Hallyn wrote: > If a container has a bind mount from a host nfs or fuse > filesystem, and does 'umount -f', it will disconnect the > host's filesystem. This patch adds a seccomp rule to > block umount -f from a container. It also adds that rule > to the default seccomp profile. > > Thanks stgraber for the idea :) > > Signed-off-by: Serge Hallyn <[email protected]>
Acked-by: Stéphane Graber <[email protected]> > --- > config/templates/common.seccomp | 1 + > src/lxc/seccomp.c | 14 ++++++++++++++ > 2 files changed, 15 insertions(+) > > diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp > index e6650ef..6f8eeba 100644 > --- a/config/templates/common.seccomp > +++ b/config/templates/common.seccomp > @@ -1,5 +1,6 @@ > 2 > blacklist > +reject_force_umount # comment this to allow umount -f; not recommended > [all] > kexec_load errno 1 > open_by_handle_at errno 1 > diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c > index dfdedf2..825d8a1 100644 > --- a/src/lxc/seccomp.c > +++ b/src/lxc/seccomp.c > @@ -28,6 +28,7 @@ > #include <errno.h> > #include <seccomp.h> > #include <sys/utsname.h> > +#include <sys/mount.h> > > #include "config.h" > #include "lxcseccomp.h" > @@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, > scmp_filter_ctx ctx, > ERROR("BUG: seccomp: rule and context arch do not match (arch > %d)", arch); > return false; > } > + > + if (strncmp(line, "reject_force_umount", 19) == 0) { > + INFO("Setting seccomp rule to reject force umounts\n"); > + ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), > SCMP_SYS(umount2), > + 1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , > MNT_FORCE )); > + if (ret < 0) { > + ERROR("failed (%d) loading rule to reject force > umount", ret); > + return false; > + } > + return true; > + } > + > nr = seccomp_syscall_resolve_name(line); > if (nr == __NR_SCMP_ERROR) { > WARN("Seccomp: failed to resolve syscall: %s", line); > @@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct > lxc_conf *conf) > goto bad; > } > } > + > return 0; > > bad_arch: > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
