From: Serge Hallyn Date: Fri, 19 Dec 2014 18:23:52 +0000 (+0000) Subject: Enable seccomp by default for unprivileged users. X-Git-Tag: lxc-1.0.8~220 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5cb9ed613b2b3d8f3d0f1c0c4e41a74bb98fa5b1;p=thirdparty%2Flxc.git Enable seccomp by default for unprivileged users. In contrast to what the comment above the line disabling it said, it seems to work just fine. It also is needed on current kernels (until Eric's patch hits upstream) to prevent unprivileged containers from hosing fuse filesystems they inherit. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/config/templates/centos.userns.conf.in b/config/templates/centos.userns.conf.in index ddcb2e518..f6de0e97d 100644 --- a/config/templates/centos.userns.conf.in +++ b/config/templates/centos.userns.conf.in @@ -18,7 +18,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/debian.userns.conf.in b/config/templates/debian.userns.conf.in index 46c7794f2..3e9600d50 100644 --- a/config/templates/debian.userns.conf.in +++ b/config/templates/debian.userns.conf.in @@ -10,7 +10,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/fedora.userns.conf.in b/config/templates/fedora.userns.conf.in index ddcb2e518..f6de0e97d 100644 --- a/config/templates/fedora.userns.conf.in +++ b/config/templates/fedora.userns.conf.in @@ -18,7 +18,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/gentoo.userns.conf.in b/config/templates/gentoo.userns.conf.in index c744b1d66..5643744df 100644 --- a/config/templates/gentoo.userns.conf.in +++ b/config/templates/gentoo.userns.conf.in @@ -17,7 +17,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/oracle.userns.conf.in b/config/templates/oracle.userns.conf.in index c744b1d66..5643744df 100644 --- a/config/templates/oracle.userns.conf.in +++ b/config/templates/oracle.userns.conf.in @@ -17,7 +17,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/plamo.userns.conf.in b/config/templates/plamo.userns.conf.in index 46c7794f2..3e9600d50 100644 --- a/config/templates/plamo.userns.conf.in +++ b/config/templates/plamo.userns.conf.in @@ -10,7 +10,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in index c744b1d66..5643744df 100644 --- a/config/templates/ubuntu.userns.conf.in +++ b/config/templates/ubuntu.userns.conf.in @@ -17,7 +17,3 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp =