I think I managed to do it by using a seccomp profile. syscalls for a 32bit emulated binary have a different system call numbers and they are rejected.
"... Also, as things are today, if your host is 64bit and you load a seccomp policy file, all 32bit syscalls will be rejected. ..." - https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/ add the following to the container config file (per instruction at https://github.com/lxc/lxc): lxc.seccomp = /var/lib/lxc/q1/seccomp.full and create a seccomp.full file through: cat > seccomp.full << EOF 1 whitelist EOF for i in `seq 0 300`; do echo $i >> seccomp.full done for i in `seq 1024 1079`; do echo $i >> seccomp.full done On Mon, May 11, 2015 at 6:13 AM, Michael H. Warfield <[email protected]> wrote: > On Sun, 2015-05-10 at 11:08 -0400, Stéphane Graber wrote: > > On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote: > > > On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote: > > > > Hi > > > > > > > > > > > > I want to disable 32bit emulation within my ubuntu container. I think > > > > this can be achieved by setting seccomp filter or cap.drop config (I > > > > may be wrong as I am very new to both of features) > > > > > https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html > > > > > > I don't believe that is even conceptually possible. The 64 bit x86 > > > instruction set is an inclusive superset of the 32 bit instruction set. > > > Any 32 bit assembly language instruction will run on a 64 bit CPU. > > > That's the very nature of "backward compatibility" in the CPU > > > architecture. The 32 bit instructions are not being emulated at all. > > > They run native on the iron. > > > You can however use seccomp to block all 32bit syscalls. > > True. Syscalls are a horse of a different color since that's OS based > not CPU based. Still, its not an emulation as the OP seem to be > implying. > > > > > Is it possible to disable specific system calls to disallow a > > > > container run any 32bit executable? if so, how the seccom/cap.drop > > > > config should look like? if not, is there anyway to disable 32bit > > > > emulation within a lxc container? > > > > > > > > > > > > P.S. I tried removing support for i386 packages within a container, > > > > but it still runs 32bit binaries. > > > > > > > > > > > > Cheers, > > > > > > > > Boy > > > > > > Regards, > > > Mike > > > -- > > > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > > > /\/\|=mhw=|\/\/ | (678) 463-0932 | > http://www.wittsend.com/mhw/ > > > NIC whois: MHW9 | An optimist believes we live in the best > of all > > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of > it! > > > > > Regards, > Mike > -- > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > /\/\|=mhw=|\/\/ | (678) 463-0932 | > http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of > all > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
