git.proxmox.com Git - mirror_lxc.git/commit

author	Serge Hallyn <serge.hallyn@canonical.com>
	Sat, 28 Jul 2012 02:13:53 +0000 (21:13 -0500)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 12 Nov 2012 17:04:30 +0000 (12:04 -0500)
commit	8f2c3a702aae3545b631a2b4c6db99f87528553a
tree	ab2c69cd60f0c6cc799ef20489cd443aca423b26	tree
parent	b486346aa2fad7de06c491755b9b50c58c27a017	commit \| diff

Introduce support for seccomp.

Hi,

This patch is so far just a proof of concept.  The libseccomp api will be
changing soon so it probably wouldn't be worth pulling this until it is
updated for the new API.

This patch introduces support for seccomp to lxc.  Seccomp lets a program
restrict its own (and its children's) future access to system calls.  It
uses a simple whitelist system call policy file.  It would probably be
better to switch to something more symbolic (i.e specifying 'open' rather
than the syscall #, especially given container arch flexibility).

I just wanted to get this out there as a first step.  You can also get
source for an ubuntu package based on this patch at
https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>

README		diff \| blob \| blame \| history
configure.ac		diff \| blob \| blame \| history
src/lxc/Makefile.am		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/lxc/confile.c		diff \| blob \| blame \| history
src/lxc/lxc-clone.in		diff \| blob \| blame \| history
src/lxc/lxcseccomp.h	[new file with mode: 0644]	blob
src/lxc/seccomp.c	[new file with mode: 0644]	blob
src/lxc/start.c		diff \| blob \| blame \| history