[pve-devel] [PATCH container] disable btrfs ioctl in user namespaces

Wolfgang Bumiller Thu, 24 Jun 2021 07:10:02 -0700

Changes the seccomp profile to return EPERM on every btrfs
ioctl.

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 src/PVE/LXC.pm | 9 +++++++++
 1 file changed, 9 insertions(+)


diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 93286f6..393da1b 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -435,6 +435,15 @@ sub make_seccomp_config {
 
     my $rules = {
        keyctl => ['errno 38'],
+
+       # Disable btrfs ioctrls since they don't work particularly well in user 
namespaces.
+       # Particularly, without the mount option to enable rmdir removing 
snapshots, user
+       # namespaces can create snapshots but neither `show` or `delete` them, 
which is quite
+       # horrible, so for now, just disable this entirely:
+       #
+       # BTRFS_IOCTL_MAGIC 0x94, _IOC type shift is 8,
+       # so `(req & 0xFF00) == 0x9400` is a btrfs ioctl and gets an EPERM
+       ioctl  => ['errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]'],
     };
 
     my $raw_conf = '';
-- 
2.30.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH container] disable btrfs ioctl in user namespaces

Reply via email to