[lxc-devel] [lxd/master] seccomp: block new mount API when mount interception is requested

Mon, 25 Nov 2019 05:48:52 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6501

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The mount interception is requested we need to block the new mount API since it
keeps in-kernel state across multiple and an arbitrary number of syscalls.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>

From d27a3da74e81f30bf127999f4d984d2c216624e2 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Mon, 25 Nov 2019 14:47:19 +0100
Subject: [PATCH] seccomp: block new mount API when mount interception is
 requested

The mount interception is requested we need to block the new mount API since it
keeps in-kernel state across multiple and an arbitrary number of syscalls.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 lxd/seccomp/seccomp.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index ddd5ae4bef..0197032b04 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -282,6 +282,15 @@ mknodat notify [2,24576,SCMP_CMP_MASKED_EQ,61440]
 const seccompNotifySetxattr = `setxattr notify [3,1,SCMP_CMP_EQ]
 `
 
+const seccompBlockNewMountApi = `fsopen errno 38
+fsconfig errno 38
+fsinfo errno 38
+fsmount errno 38
+fspick errno 38
+open_tree errno 38
+move_mount errno 38
+`
+
 // We don't want to filter any of the following flag combinations since they do
 // not cause the creation of a new superblock:
 //
@@ -500,6 +509,10 @@ func seccompGetPolicyContent(c Instance) (string, error) {
 
                if shared.IsTrue(config["security.syscalls.intercept.mount"]) {
                        policy += seccompNotifyMount
+                       // We can't handle the new mount API since it keeps
+                       // in-kernel state across an arbitrary number of
+                       // multiple syscalls.
+                       policy += seccompBlockNewMountApi
                }
        }
 

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to