]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ec64264) | patch
seccomp: add rule to reject umount -f
authorSerge Hallyn <serge.hallyn@ubuntu.com>
Fri, 19 Dec 2014 18:22:55 +0000 (18:22 +0000)
committerStéphane Graber <stgraber@ubuntu.com>
Fri, 19 Dec 2014 18:42:47 +0000 (13:42 -0500)
commit6166fa6d83b23e86a24cc2ab5cfe780fccb0a709
tree2ebbd103dd7027409151431d6d12d2ecc9de3bc4tree
parentec64264d78d4ed608553842ce9e1f07eeab2a032commit | diff
seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
config/templates/common.seccomp diff | blob | blame | history
src/lxc/seccomp.c diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git