]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cd75548) | patch
ubuntu containers: use a seccomp filter by default (v2)
authorSerge Hallyn <serge.hallyn@ubuntu.com>
Fri, 20 Jun 2014 20:40:42 +0000 (15:40 -0500)
committerStéphane Graber <stgraber@ubuntu.com>
Fri, 20 Jun 2014 21:37:06 +0000 (17:37 -0400)
commit214a98ef56b487ed9ca5a021f2e44bb7525e82ec
tree0e40ba502e4329a700e15d28b1f17e105b103acbtree | snapshot
parentcd75548b25f39b4ee36dc20e70c8e1b379a287f8commit | diff
ubuntu containers: use a seccomp filter by default (v2)

Blacklist module loading, kexec, and open_by_handle_at (the cause of the
not-docker-specific dockerinit mounts namespace escape).

This should be applied to all arches, but iiuc stgraber will be doing
some reworking of the commonizations which will simplify that, so I'm
not doing it here.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
config/templates/Makefile.am diff | blob | blame | history
config/templates/ubuntu.common.conf.in diff | blob | blame | history
config/templates/ubuntu.priv.seccomp [new file with mode: 0644] blob
config/templates/ubuntu.userns.conf.in diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git