From 214a98ef56b487ed9ca5a021f2e44bb7525e82ec Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 20 Jun 2014 15:40:42 -0500 Subject: [PATCH] ubuntu containers: use a seccomp filter by default (v2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Blacklist module loading, kexec, and open_by_handle_at (the cause of the not-docker-specific dockerinit mounts namespace escape). This should be applied to all arches, but iiuc stgraber will be doing some reworking of the commonizations which will simplify that, so I'm not doing it here. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- config/templates/Makefile.am | 3 ++- config/templates/ubuntu.common.conf.in | 4 ++++ config/templates/ubuntu.priv.seccomp | 8 ++++++++ config/templates/ubuntu.userns.conf.in | 4 ++++ 4 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 config/templates/ubuntu.priv.seccomp diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index d0b1c8763..dec62d98e 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -21,4 +21,5 @@ templatesconfig_DATA = \ ubuntu-cloud.userns.conf \ ubuntu.common.conf \ ubuntu.lucid.conf \ - ubuntu.userns.conf + ubuntu.userns.conf \ + ubuntu.priv.seccomp diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index 1ec323fe4..a61ed79c9 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm ## To use loop devices, copy the following line to the container's ## configuration file (uncommented). #lxc.cgroup.devices.allow = b 7:* rwm + +# Blacklist some syscalls which are not safe in privileged +# containers +lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp new file mode 100644 index 000000000..e6650ef1c --- /dev/null +++ b/config/templates/ubuntu.priv.seccomp @@ -0,0 +1,8 @@ +2 +blacklist +[all] +kexec_load errno 1 +open_by_handle_at errno 1 +init_module errno 1 +finit_module errno 1 +delete_module errno 1 diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in index 5643744df..c744b1d66 100644 --- a/config/templates/ubuntu.userns.conf.in +++ b/config/templates/ubuntu.userns.conf.in @@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 + +# Default seccomp policy is not needed for unprivileged containers, and +# non-root users cannot use seccmp without NNP anyway. +lxc.seccomp =