Enable seccomp by default for unprivileged users.

In contrast to what the comment above the line disabling it said,
it seems to work just fine.  It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
index ddcb2e5189e82ad08c5adb23e8adbe77abef3c34..f6de0e97de8d9e0b203f3b1e088e858de9054577 100644 (file)
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
@@ -18,7 +18,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =

diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
index 46c7794f2dfa289712b02104cb15cd79e8ea9879..3e9600d50b343b811fd3d6d83db5de2323f679c6 100644 (file)
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
@@ -10,7 +10,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =

diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
index ddcb2e5189e82ad08c5adb23e8adbe77abef3c34..f6de0e97de8d9e0b203f3b1e088e858de9054577 100644 (file)
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
@@ -18,7 +18,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =

diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in
index c744b1d66ad5446a59feb821b48de9844329a020..5643744df8d502988c3f9152a33d29d30076cbec 100644 (file)
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
@@ -17,7 +17,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =

diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
index c744b1d66ad5446a59feb821b48de9844329a020..5643744df8d502988c3f9152a33d29d30076cbec 100644 (file)
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
@@ -17,7 +17,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =

diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in
index 46c7794f2dfa289712b02104cb15cd79e8ea9879..3e9600d50b343b811fd3d6d83db5de2323f679c6 100644 (file)
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
@@ -10,7 +10,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =

diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index c744b1d66ad5446a59feb821b48de9844329a020..5643744df8d502988c3f9152a33d29d30076cbec 100644 (file)
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -17,7 +17,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =