Enable default seccomp profile for all distros

This updates the common config to include Serge's seccomp profile by
default for privileged containers.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 209db3963fd61edcf34612040a556bc61185bc25..98441c37a3608f47dabdacedddbc1ff65ba6e2b0 100644 (file)
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -1,10 +1,11 @@
 templatesconfigdir=@LXCTEMPLATECONFIG@
 
-EXTRA_DIST = ubuntu.priv.seccomp
+EXTRA_DIST = common.seccomp
 
 templatesconfig_DATA = \
        centos.common.conf \
        centos.userns.conf \
+       common.seccomp \
        debian.common.conf \
        debian.userns.conf \
        fedora.common.conf \
@@ -21,5 +22,4 @@ templatesconfig_DATA = \
        ubuntu-cloud.userns.conf \
        ubuntu.common.conf \
        ubuntu.lucid.conf \
-       ubuntu.userns.conf \
-       ubuntu.priv.seccomp
+       ubuntu.userns.conf

diff --git a/config/templates/centos.common.conf.in b/config/templates/centos.common.conf.in
index c0e68165b6bf1b8c54e57c9bab25a3f002cb2c54..b80585fb1845a17f1b9dc9ecaf355c50c92c9fad 100644 (file)
--- a/config/templates/centos.common.conf.in
+++ b/config/templates/centos.common.conf.in
@@ -45,3 +45,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm  # /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm   # /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm   # /dev/ptmx pty master
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in
index f6de0e97de8d9e0b203f3b1e088e858de9054577..ddcb2e5189e82ad08c5adb23e8adbe77abef3c34 100644 (file)
--- a/config/templates/centos.userns.conf.in
+++ b/config/templates/centos.userns.conf.in
@@ -18,3 +18,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =

diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/common.seccomp
similarity index 100%
rename from config/templates/ubuntu.priv.seccomp
rename to config/templates/common.seccomp

diff --git a/config/templates/debian.common.conf.in b/config/templates/debian.common.conf.in
index 09e5c40882dffd8a745096dadb3bdb9f367de00e..13f49b6ec0aae1ac7482fb7abaa7d0af47468061 100644 (file)
--- a/config/templates/debian.common.conf.in
+++ b/config/templates/debian.common.conf.in
@@ -60,3 +60,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in
index 3e9600d50b343b811fd3d6d83db5de2323f679c6..46c7794f2dfa289712b02104cb15cd79e8ea9879 100644 (file)
--- a/config/templates/debian.userns.conf.in
+++ b/config/templates/debian.userns.conf.in
@@ -10,3 +10,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =

diff --git a/config/templates/fedora.common.conf.in b/config/templates/fedora.common.conf.in
index 31b23a4a47c86fdbb5338901c2c04877560d584e..add0859ec16e8002fdf9e058bbeb003d1d3da6ca 100644 (file)
--- a/config/templates/fedora.common.conf.in
+++ b/config/templates/fedora.common.conf.in
@@ -47,3 +47,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm  # /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm   # /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm   # /dev/ptmx pty master
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in
index f6de0e97de8d9e0b203f3b1e088e858de9054577..ddcb2e5189e82ad08c5adb23e8adbe77abef3c34 100644 (file)
--- a/config/templates/fedora.userns.conf.in
+++ b/config/templates/fedora.userns.conf.in
@@ -18,3 +18,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =

diff --git a/config/templates/gentoo.common.conf.in b/config/templates/gentoo.common.conf.in
index 5a8b2316b2177c562de86164dee88ecedada43e0..f29db504c3ca4479b11c34134ab5337494e4b279 100644 (file)
--- a/config/templates/gentoo.common.conf.in
+++ b/config/templates/gentoo.common.conf.in
@@ -51,4 +51,8 @@ lxc.cgroup.devices.allow = c 10:228 rwm
 lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
-#lxc.cgroup.devices.allow = b 7:* rwm
\ No newline at end of file
+#lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
index da68562c73ba7920cd109793f11d2e0b3ebdf089..432a9fb6fbd99c9b4ec965d788af5e8878a1a7e9 100644 (file)
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -56,4 +56,8 @@ lxc.cgroup.devices.allow = c 4:0 rwm
 # /dev/tty
 lxc.cgroup.devices.allow = c 5:0 rwm
 # /dev/console
-lxc.cgroup.devices.allow = c 5:1 rwm
\ No newline at end of file
+lxc.cgroup.devices.allow = c 5:1 rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in
index 5643744df8d502988c3f9152a33d29d30076cbec..c744b1d66ad5446a59feb821b48de9844329a020 100644 (file)
--- a/config/templates/gentoo.userns.conf.in
+++ b/config/templates/gentoo.userns.conf.in
@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =

diff --git a/config/templates/oracle.common.conf.in b/config/templates/oracle.common.conf.in
index 96b266c35ca09e9f0a63b3c89ebbe9bb177729a4..1b30fe977cbcf4a5282efe8ebd99ad7ec6eadab0 100644 (file)
--- a/config/templates/oracle.common.conf.in
+++ b/config/templates/oracle.common.conf.in
@@ -43,3 +43,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm  # /dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm   # /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm   # /dev/ptmx pty master
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in
index 5643744df8d502988c3f9152a33d29d30076cbec..c744b1d66ad5446a59feb821b48de9844329a020 100644 (file)
--- a/config/templates/oracle.userns.conf.in
+++ b/config/templates/oracle.userns.conf.in
@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =

diff --git a/config/templates/plamo.common.conf.in b/config/templates/plamo.common.conf.in
index 50783c3b2e16d68619c8a95263a95d337951a988..4f044c099ae2da533fc8a7c6ce38e76c040e1bd7 100644 (file)
--- a/config/templates/plamo.common.conf.in
+++ b/config/templates/plamo.common.conf.in
@@ -24,3 +24,7 @@ lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in
index 3e9600d50b343b811fd3d6d83db5de2323f679c6..46c7794f2dfa289712b02104cb15cd79e8ea9879 100644 (file)
--- a/config/templates/plamo.userns.conf.in
+++ b/config/templates/plamo.userns.conf.in
@@ -10,3 +10,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =