Enable default seccomp profile for all distros

This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Enable default seccomp profile for all distros
82866e3c · Stéphane Graber · 3a8c6134 · 82866e3c · 82866e3c · 82866e3c
Commit 82866e3c authored Jul 01, 2014 by Stéphane Graber
15 changed files
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
 templatesconfigdir=@LXCTEMPLATECONFIG@
-EXTRA_DIST = ubuntu.priv.seccomp
+EXTRA_DIST = common.seccomp
 templatesconfig_DATA = \
 	centos.common.conf \
 	centos.userns.conf \
+	common.seccomp \
 	debian.common.conf \
 	debian.userns.conf \
 	fedora.common.conf \
@@ -21,5 +22,4 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
-	ubuntu.userns.conf \
+	ubuntu.userns.conf
-	ubuntu.priv.seccomp
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
@@ -45,3 +45,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
@@ -18,3 +18,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
--- a/config/templates/ubuntu.priv.seccomp
+++ b/config/templates/ubuntu.priv.seccomp
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -60,3 +60,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
@@ -10,3 +10,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
@@ -47,3 +47,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
@@ -18,3 +18,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -51,4 +51,8 @@ lxc.cgroup.devices.allow = c 10:228 rwm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -56,4 +56,8 @@ lxc.cgroup.devices.allow = c 4:0 rwm
 # /dev/tty
 lxc.cgroup.devices.allow = c 5:0 rwm
 # /dev/console
 lxc.cgroup.devices.allow = c 5:1 rwm
\ No newline at end of file
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
@@ -43,3 +43,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -24,3 +24,7 @@ lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
@@ -10,3 +10,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =