From 6e39e4cbff5d49b4a66451696aa87b9884f58a6e Mon Sep 17 00:00:00 2001 From: =?utf8?q?St=C3=A9phane=20Graber?= Date: Tue, 1 Jul 2014 21:38:18 -0400 Subject: [PATCH] Enable default seccomp profile for all distros MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn --- config/templates/Makefile.am | 4 ++-- config/templates/common.conf.in | 4 ++++ config/templates/{ubuntu.priv.seccomp => common.seccomp} | 0 config/templates/ubuntu.common.conf.in | 4 ---- config/templates/ubuntu.userns.conf.in | 4 ---- config/templates/userns.conf.in | 4 ++++ 6 files changed, 10 insertions(+), 10 deletions(-) rename config/templates/{ubuntu.priv.seccomp => common.seccomp} (100%) diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am index 61b4b4536..82ca8be1b 100644 --- a/config/templates/Makefile.am +++ b/config/templates/Makefile.am @@ -1,6 +1,6 @@ templatesconfigdir=@LXCTEMPLATECONFIG@ -EXTRA_DIST = ubuntu.priv.seccomp +EXTRA_DIST = common.seccomp templatesconfig_DATA = \ archlinux.common.conf \ @@ -8,6 +8,7 @@ templatesconfig_DATA = \ centos.common.conf \ centos.userns.conf \ common.conf \ + common.seccomp \ debian.common.conf \ debian.userns.conf \ fedora.common.conf \ @@ -26,6 +27,5 @@ templatesconfig_DATA = \ ubuntu-cloud.userns.conf \ ubuntu.common.conf \ ubuntu.lucid.conf \ - ubuntu.priv.seccomp \ ubuntu.userns.conf \ userns.conf diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in index 1616b4f37..b15b5fa40 100644 --- a/config/templates/common.conf.in +++ b/config/templates/common.conf.in @@ -33,3 +33,7 @@ lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/* + +# Blacklist some syscalls which are not safe in privileged +# containers +lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/common.seccomp similarity index 100% rename from config/templates/ubuntu.priv.seccomp rename to config/templates/common.seccomp diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in index ee008e239..631b4bb0e 100644 --- a/config/templates/ubuntu.common.conf.in +++ b/config/templates/ubuntu.common.conf.in @@ -42,7 +42,3 @@ lxc.cgroup.devices.allow = c 10:232 rwm ## To use loop devices, copy the following line to the container's ## configuration file (uncommented). #lxc.cgroup.devices.allow = b 7:* rwm - -# Blacklist some syscalls which are not safe in privileged -# containers -lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in index e25270c42..0d73464cd 100644 --- a/config/templates/ubuntu.userns.conf.in +++ b/config/templates/ubuntu.userns.conf.in @@ -4,7 +4,3 @@ lxc.include = @LXCTEMPLATECONFIG@/userns.conf # Extra fstab entries as mountall can't mount those by itself lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 - -# Default seccomp policy is not needed for unprivileged containers, and -# non-root users cannot use seccmp without NNP anyway. -lxc.seccomp = diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in index 5dc19c72c..2d9d7d501 100644 --- a/config/templates/userns.conf.in +++ b/config/templates/userns.conf.in @@ -13,3 +13,7 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 + +# Default seccomp policy is not needed for unprivileged containers, and +# non-root users cannot use seccmp without NNP anyway. +lxc.seccomp = -- 2.39.5