seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
index e6650ef1cbf7528fc01aef238502897b1f01aebb..6f8eeba3834887ee509d31d378276343537d7393 100644 (file)
--- a/config/templates/common.seccomp
+++ b/config/templates/common.seccomp
@@ -1,5 +1,6 @@
 2
 blacklist
+reject_force_umount  # comment this to allow umount -f;  not recommended
 [all]
 kexec_load errno 1
 open_by_handle_at errno 1

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index dfdedf22bc6d0326bbd1215aa2908dcef1b6925c..825d8a1a4156329a465dd96b7426316df3cb40b3 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -28,6 +28,7 @@
 #include <errno.h>
 #include <seccomp.h>
 #include <sys/utsname.h>
+#include <sys/mount.h>
 
 #include "config.h"
 #include "lxcseccomp.h"
@@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
                ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch);
                return false;
        }
+
+       if (strncmp(line, "reject_force_umount", 19) == 0) {
+               INFO("Setting seccomp rule to reject force umounts\n");
+               ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2),
+                               1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE ));
+               if (ret < 0) {
+                       ERROR("failed (%d) loading rule to reject force umount", ret);
+                       return false;
+               }
+               return true;
+       }
+
        nr = seccomp_syscall_resolve_name(line);
        if (nr == __NR_SCMP_ERROR) {
                WARN("Seccomp: failed to resolve syscall: %s", line);
@@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
                        goto bad;
                }
        }
+
        return 0;
 
 bad_arch: