For a privileged LXD container we have a way to protect from this:
lxc config edit <ct_name> and add:
raw.seccomp: |-
2
denylist
[all]
reject_force_umount
[all]
kexec_load errno 38
open_by_handle_at errno 38
init_module errno 38
delete_module errno 38
madvise errno 1 [2,100,SCMP_CMP_EQ]
madvise errno 1 [2,101,SCMP_CMP_EQ]
But I'm pretty sure that there are a lot of other ways to make problems
for the entire machine from a privileged container. Not only this one.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121542
Title:
MADV_HWPOISON on vdso is pretty dire, can be done within a container
for system denial of service attack
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121542/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
