Enable default seccomp profile for all distros

This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Enable default seccomp profile for all distros
6e39e4cb · Stéphane Graber · 616d626b · 6e39e4cb · 6e39e4cb · 6e39e4cb
Commit 6e39e4cb authored Jul 01, 2014 by Stéphane Graber
6 changed files
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
 templatesconfigdir=@LXCTEMPLATECONFIG@
-EXTRA_DIST = ubuntu.priv.seccomp
+EXTRA_DIST = common.seccomp
 templatesconfig_DATA = \
 	archlinux.common.conf \
@@ -8,6 +8,7 @@ templatesconfig_DATA = \
 	centos.common.conf \
 	centos.userns.conf \
 	common.conf \
+	common.seccomp \
 	debian.common.conf \
 	debian.userns.conf \
 	fedora.common.conf \
@@ -26,6 +27,5 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
-	ubuntu.priv.seccomp \
 	ubuntu.userns.conf \
 	userns.conf
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx
 lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/pts/*
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/ubuntu.priv.seccomp
+++ b/config/templates/ubuntu.priv.seccomp
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
-# Blacklist some syscalls which are not safe in privileged
-# containers
-lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =