Blacklist module loading, kexec, and open_by_handle_at (the cause of the
not-docker-specific dockerinit mounts namespace escape).
This should be applied to all arches, but iiuc stgraber will be doing
some reworking of the commonizations which will simplify that, so I'm
not doing it here.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
ubuntu-cloud.userns.conf \
ubuntu.common.conf \
ubuntu.lucid.conf \
- ubuntu.userns.conf
+ ubuntu.userns.conf \
+ ubuntu.priv.seccomp
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
--- /dev/null
+2
+blacklist
+[all]
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =
projects / thirdparty / lxc.git / commitdiff
