Skip to content

L
lxc
Commit 6166fa6d by Serge Hallyn Committed by Stéphane Graber
Options

seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse filesystem, and does 'umount -f', it will disconnect the host's filesystem. This patch adds a seccomp rule to block umount -f from a container. It also adds that rule to the default seccomp profile. Thanks stgraber for the idea :) Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com> Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
parent ec64264d
Showing with 15 additions and 0 deletions
config/templates/common.seccomp
2
blacklist
reject_force_umount # comment this to allow umount -f; not recommended
[all]
kexec_load errno 1
open_by_handle_at errno 1
......
src/lxc/seccomp.c
......@@ -28,6 +28,7 @@
#include <errno.h>
#include <seccomp.h>
#include <sys/utsname.h>
#include <sys/mount.h>
#include "config.h"
#include "lxcseccomp.h"
......@@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch);
return false;
}
if (strncmp(line, "reject_force_umount", 19) == 0) {
INFO("Setting seccomp rule to reject force umounts\n");
ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
if (ret < 0) {
ERROR("failed (%d) loading rule to reject force umount", ret);
return false;
}
return true;
}
nr = seccomp_syscall_resolve_name(line);
if (nr == __NR_SCMP_ERROR) {
WARN("Seccomp: failed to resolve syscall: %s", line);
......@@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
goto bad;
}
}
return 0;
bad_arch:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment