mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2026-03-29 07:15:05 +00:00
8f2c3a702a
Hi, This patch is so far just a proof of concept. The libseccomp api will be changing soon so it probably wouldn't be worth pulling this until it is updated for the new API. This patch introduces support for seccomp to lxc. Seccomp lets a program restrict its own (and its children's) future access to system calls. It uses a simple whitelist system call policy file. It would probably be better to switch to something more symbolic (i.e specifying 'open' rather than the syscall #, especially given container arch flexibility). I just wanted to get this out there as a first step. You can also get source for an ubuntu package based on this patch at https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
79 lines
2.6 KiB
Plaintext
79 lines
2.6 KiB
Plaintext
Please see the COPYING file for details on copying and usage.
|
|
Please refer to the INSTALL file for instructions on how to build.
|
|
|
|
What is lxc:
|
|
|
|
The container technology is actively being pushed into the mainstream linux
|
|
kernel. It provides the resource management through the control groups aka
|
|
process containers and resource isolation through the namespaces.
|
|
|
|
The linux containers, lxc, aims to use these new functionnalities to pro-
|
|
vide an userspace container object which provides full resource isolation
|
|
and resource control for an applications or a system.
|
|
|
|
The first objective of this project is to make the life easier for the ker-
|
|
nel developers involved in the containers project and especially to con-
|
|
tinue working on the Checkpoint/Restart new features. The lxc is small
|
|
enough to easily manage a container with simple command lines and complete
|
|
enough to be used for other purposes.
|
|
|
|
Using lxc:
|
|
|
|
Refer the lxc* man pages (generated from doc/* files)
|
|
|
|
Downloading the current source code:
|
|
|
|
Source for the latest released version can always be downloaded from
|
|
http://lxc.sourceforge.net/download/lxc
|
|
|
|
You can browse the up to the minute source code and change history online.
|
|
http://lxc.git.sourceforge.net
|
|
|
|
For detailed build instruction refer to INSTALL and man lxc man page
|
|
but a short command line should work:
|
|
./configure && make && sudo make install && sudo lxc-setcap
|
|
preceded by ./autogen.sh if configure do not exist yet.
|
|
|
|
Getting help:
|
|
|
|
when you find you need help, you can check out one of the two
|
|
lxc mailing list archives and register if interested:
|
|
https://lists.sourceforge.net/lists/listinfo/lxc-devel
|
|
https://lists.sourceforge.net/lists/listinfo/lxc-users
|
|
|
|
Portability:
|
|
|
|
lxc is still in development, so the command syntax and the API can
|
|
change. The version 1.0.0 will be the frozen version.
|
|
|
|
lxc is developed and tested on Linux since kernel mainline version 2.6.27
|
|
(without network) and 2.6.29 with network isolation.
|
|
is compiled with gcc, and supports i686, x86_64, ppc, ppc64, S390 archi.
|
|
|
|
AUTHOR
|
|
Daniel Lezcano <daniel.lezcano@free.fr>
|
|
|
|
Seccomp with LXC
|
|
----------------
|
|
|
|
To restrict a container with seccomp, you must specify a profile which is
|
|
basically a whitelist of system calls it may execute. In the container
|
|
config file, add a line like
|
|
|
|
lxc.seccomp = /var/lib/lxc/q1/seccomp.full
|
|
|
|
I created a usable (but basically worthless) seccomp.full file using
|
|
|
|
cat > seccomp.full << EOF
|
|
1
|
|
whitelist
|
|
EOF
|
|
for i in `seq 0 300`; do
|
|
echo $i >> secomp.full
|
|
done
|
|
for i in `seq 1024 1079`; do
|
|
echo $i >> seccomp.full
|
|
done
|
|
|
|
-- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600
|