]> git.proxmox.com Git - mirror_lxc.git/commit - src/lxc/seccomp.c
projects / mirror_lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1f92162) | patch
seccomp: introduce v2 policy (v2)
authorSerge Hallyn <serge.hallyn@ubuntu.com>
Wed, 12 Feb 2014 21:50:20 +0000 (15:50 -0600)
committerStéphane Graber <stgraber@ubuntu.com>
Wed, 12 Feb 2014 22:01:57 +0000 (17:01 -0500)
commit507981388495a0bb338178e48b993bae753841d0
treeb0fffcbf76d0739bf4092f41dc995e3e48b60e97tree
parent1f92162dc0432b6f7f8156d22348f22934cbea3fcommit | diff
seccomp: introduce v2 policy (v2)

v2 allows specifying system calls by name, and specifying
architecture.  A policy looks like:

2
whitelist
open
read
write
close
mount
[x86]
open
read

Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31)  -
which confusingly returns 'EMLINK' on x86_64.  Note this change
is also done for v1 as I think it is worthwhile.

With this patch, I can in fact use a seccomp policy like:

2
blacklist
mknod errno 0

after which 'sudo mknod null c 1 3' silently succeeds without
creating the null device.

changelog v2:
  add blacklist support
  support default action
  support per-rule action

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
src/lxc/seccomp.c diff | blob | blame | history
LXC mirror