mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-08-16 22:12:36 +00:00
6166fa6d83
If a container has a bind mount from a host nfs or fuse filesystem, and does 'umount -f', it will disconnect the host's filesystem. This patch adds a seccomp rule to block umount -f from a container. It also adds that rule to the default seccomp profile. Thanks stgraber for the idea :) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
10 lines
199 B
Plaintext
10 lines
199 B
Plaintext
2
|
|
blacklist
|
|
reject_force_umount # comment this to allow umount -f; not recommended
|
|
[all]
|
|
kexec_load errno 1
|
|
open_by_handle_at errno 1
|
|
init_module errno 1
|
|
finit_module errno 1
|
|
delete_module errno 1
|