A seccomp profile for the entire container has been added.

author Азалия Смарагдова <charming.flurry@yandex.ru>

Tue, 30 Aug 2022 16:18:18 +0000 (21:18 +0500)

committer Alessandro Astone <ales.astone@gmail.com>

Tue, 6 Sep 2022 22:21:13 +0000 (00:21 +0200)
author Азалия Смарагдова <charming.flurry@yandex.ru>
Tue, 30 Aug 2022 16:18:18 +0000 (21:18 +0500)
committer Alessandro Astone <ales.astone@gmail.com>
Tue, 6 Sep 2022 22:21:13 +0000 (00:21 +0200)
diff --git a/data/configs/config_1 b/data/configs/config_1

index cc997810e9c57c44164a5e25a4d0a16cf31dbcf9..33671c4c4a536c4b9525dbb3d24cdddd41ec24ab 100644 (file)
--- a/data/configs/config_1
+++ b/data/configs/config_1
@@ -6,6 +6,7 @@ lxc.arch = LXCARCH
  lxc.autodev = 0
  # lxc.autodev.tmpfs.size = 25000000
  lxc.aa_profile = unconfined
+lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
  
  lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot
  
diff --git a/data/configs/config_2 b/data/configs/config_2

index 172e1e7bfc11f2df6c1d6d54c213a7d845b77042..34537ecd674ff20cfa2936f07bb00c3d8199444d 100644 (file)
--- a/data/configs/config_2
+++ b/data/configs/config_2
@@ -6,6 +6,8 @@ lxc.arch = LXCARCH
  lxc.autodev = 0
  # lxc.autodev.tmpfs.size = 25000000
  lxc.apparmor.profile = unconfined
+lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp
+lxc.seccomp.allow_nesting = 1
  
  lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot
  lxc.no_new_privs = 1
diff --git a/data/configs/waydroid.seccomp b/data/configs/waydroid.seccomp

new file mode 100644 (file)

index 0000000..ae4761c
--- /dev/null
+++ b/data/configs/waydroid.seccomp
@@ -0,0 +1,21 @@
+2
+blacklist
+init_module
+finit_module
+delete_module
+_sysctl
+kexec_file_load
+kexec_load
+reboot
+adjtimex errno 0
+clock_adjtime errno 0
+clock_adjtime64 errno 0
+clock_settime errno 0
+clock_settime64 errno 0
+settimeofday errno 0
+stime errno 0
+add_key errno 0
+keyctl errno 0
+request_key errno 0
+swapoff errno 0
+swapon errno 0
diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py

index a099801de4667a47e167d6f8f1809511a9b45ddf..a13f838e1b779c97740d1b9682b90ccec14f8938 100644 (file)
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -137,6 +137,7 @@ def set_lxc_config(args):
      elif lxc_ver <= 2:
          config_file = "config_1"
      config_path = tools.config.tools_src + "/data/configs/" + config_file
+    seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp"
  
      command = ["mkdir", "-p", lxc_path]
      tools.helpers.run.user(args, command)
@@ -144,6 +145,8 @@ def set_lxc_config(args):
      tools.helpers.run.user(args, command)
      command = ["sed", "-i", "s/LXCARCH/{}/".format(platform.machine()), lxc_path + "/config"]
      tools.helpers.run.user(args, command)
+    command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"]
+    tools.helpers.run.user(args, command)
  
      nodes = generate_nodes_lxc_config(args)
      config_nodes_tmp_path = args.work + "/config_nodes"
author	Азалия Смарагдова <charming.flurry@yandex.ru>
	Tue, 30 Aug 2022 16:18:18 +0000 (21:18 +0500)
committer	Alessandro Astone <ales.astone@gmail.com>
	Tue, 6 Sep 2022 22:21:13 +0000 (00:21 +0200)
data/configs/config_1		patch \| blob \| blame \| history
data/configs/config_2		patch \| blob \| blame \| history
data/configs/waydroid.seccomp	[new file with mode: 0644]	patch \| blob
tools/helpers/lxc.py		patch \| blob \| blame \| history