Skip to content

L
lxc
Commit 2d5aad5f by Serge Hallyn Committed by Stéphane Graber
Options

ubuntu containers: use a seccomp filter by default (v2)

Blacklist module loading, kexec, and open_by_handle_at (the cause of the not-docker-specific dockerinit mounts namespace escape). This should be applied to all arches, but iiuc stgraber will be doing some reworking of the commonizations which will simplify that, so I'm not doing it here. Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com> Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
parent 0995cb73
Showing with 18 additions and 1 deletion
config/templates/Makefile.am
...@@ -19,4 +19,5 @@ templatesconfig_DATA = \ ...@@ -19,4 +19,5 @@ templatesconfig_DATA = \
ubuntu-cloud.userns.conf \ ubuntu-cloud.userns.conf \
ubuntu.common.conf \ ubuntu.common.conf \
ubuntu.lucid.conf \ ubuntu.lucid.conf \
ubuntu.userns.conf ubuntu.userns.conf \
ubuntu.priv.seccomp
config/templates/ubuntu.common.conf.in
...@@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm ...@@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's ## To use loop devices, copy the following line to the container's
## configuration file (uncommented). ## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm #lxc.cgroup.devices.allow = b 7:* rwm
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
config/templates/ubuntu.priv.seccomp 0 → 100644
2
blacklist
[all]
kexec_load errno 1
open_by_handle_at errno 1
init_module errno 1
finit_module errno 1
delete_module errno 1
config/templates/ubuntu.userns.conf.in
...@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 ...@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself # Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
# Default seccomp policy is not needed for unprivileged containers, and
# non-root users cannot use seccmp without NNP anyway.
lxc.seccomp =
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment