The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6341
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 543f021101c6fe5aad6b2b0e207da0dac8167852 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Wed, 23 Oct 2019 01:00:46 +0200
Subject: [PATCH] seccomp: protect against syscall supervision override
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
lxd/seccomp/seccomp.go | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 9c00e2eaac..b194868e56 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -261,6 +261,9 @@ init_module errno 38
finit_module errno 38
delete_module errno 38
`
+const seccompNotifyDisallow = `seccomp errno 22
[1,2146435072,SCMP_CMP_MASKED_EQ,2146435072]
+seccomp errno 22 [1,8,SCMP_CMP_MASKED_EQ,8]
+`
const seccompNotifyMknod = `mknod notify [1,8192,SCMP_CMP_MASKED_EQ,61440]
mknod notify [1,24576,SCMP_CMP_MASKED_EQ,61440]
@@ -447,6 +450,10 @@ func seccompGetPolicyContent(c Instance) (string, error) {
if
shared.IsTrue(config["security.syscalls.intercept.setxattr"]) {
policy += seccompNotifySetxattr
}
+
+ // Prevent the container from overriding our syscall
+ // supervision.
+ policy += seccompNotifyDisallow
}
if whitelist != "" {
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
