On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote: > On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote: > > Hi > > > > > > I want to disable 32bit emulation within my ubuntu container. I think > > this can be achieved by setting seccomp filter or cap.drop config (I > > may be wrong as I am very new to both of features) > > https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html > > I don't believe that is even conceptually possible. The 64 bit x86 > instruction set is an inclusive superset of the 32 bit instruction set. > Any 32 bit assembly language instruction will run on a 64 bit CPU. > That's the very nature of "backward compatibility" in the CPU > architecture. The 32 bit instructions are not being emulated at all. > They run native on the iron.
You can however use seccomp to block all 32bit syscalls. > > > > Is it possible to disable specific system calls to disallow a > > container run any 32bit executable? if so, how the seccom/cap.drop > > config should look like? if not, is there anyway to disable 32bit > > emulation within a lxc container? > > > > > > P.S. I tried removing support for i386 packages within a container, > > but it still runs 32bit binaries. > > > > > > Cheers, > > > > Boy > > Regards, > Mike > -- > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
