From: Serge Hallyn Date: Fri, 19 Dec 2014 18:22:55 +0000 (+0000) Subject: seccomp: add rule to reject umount -f X-Git-Tag: lxc-1.1.0.rc1~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6166fa6d83b23e86a24cc2ab5cfe780fccb0a709;p=thirdparty%2Flxc.git seccomp: add rule to reject umount -f If a container has a bind mount from a host nfs or fuse filesystem, and does 'umount -f', it will disconnect the host's filesystem. This patch adds a seccomp rule to block umount -f from a container. It also adds that rule to the default seccomp profile. Thanks stgraber for the idea :) Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp index e6650ef1c..6f8eeba38 100644 --- a/config/templates/common.seccomp +++ b/config/templates/common.seccomp @@ -1,5 +1,6 @@ 2 blacklist +reject_force_umount # comment this to allow umount -f; not recommended [all] kexec_load errno 1 open_by_handle_at errno 1 diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index dfdedf22b..825d8a1a4 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "config.h" #include "lxcseccomp.h" @@ -186,6 +187,18 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, ERROR("BUG: seccomp: rule and context arch do not match (arch %d)", arch); return false; } + + if (strncmp(line, "reject_force_umount", 19) == 0) { + INFO("Setting seccomp rule to reject force umounts\n"); + ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(umount2), + 1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , MNT_FORCE )); + if (ret < 0) { + ERROR("failed (%d) loading rule to reject force umount", ret); + return false; + } + return true; + } + nr = seccomp_syscall_resolve_name(line); if (nr == __NR_SCMP_ERROR) { WARN("Seccomp: failed to resolve syscall: %s", line); @@ -393,6 +406,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) goto bad; } } + return 0; bad_arch: