From: Азалия Смарагдова Date: Tue, 30 Aug 2022 16:18:18 +0000 (+0500) Subject: A seccomp profile for the entire container has been added. X-Git-Tag: 1.3.2~4 X-Git-Url: https://glassweightruler.freedombox.rocks/gitweb/waydroid.git/commitdiff_plain/7046fb2fd32b73fde5642187c914c2f637e666b1 A seccomp profile for the entire container has been added. --- diff --git a/data/configs/config_1 b/data/configs/config_1 index cc99781..33671c4 100644 --- a/data/configs/config_1 +++ b/data/configs/config_1 @@ -6,6 +6,7 @@ lxc.arch = LXCARCH lxc.autodev = 0 # lxc.autodev.tmpfs.size = 25000000 lxc.aa_profile = unconfined +lxc.seccomp = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot diff --git a/data/configs/config_2 b/data/configs/config_2 index 172e1e7..34537ec 100644 --- a/data/configs/config_2 +++ b/data/configs/config_2 @@ -6,6 +6,8 @@ lxc.arch = LXCARCH lxc.autodev = 0 # lxc.autodev.tmpfs.size = 25000000 lxc.apparmor.profile = unconfined +lxc.seccomp.profile = /var/lib/waydroid/lxc/waydroid/waydroid.seccomp +lxc.seccomp.allow_nesting = 1 lxc.cap.keep = audit_control sys_nice wake_alarm setpcap setgid setuid sys_ptrace sys_admin wake_alarm block_suspend sys_time net_admin net_raw net_bind_service kill dac_override dac_read_search fsetid mknod syslog chown sys_resource fowner sys_module ipc_lock sys_chroot lxc.no_new_privs = 1 diff --git a/data/configs/waydroid.seccomp b/data/configs/waydroid.seccomp new file mode 100644 index 0000000..ae4761c --- /dev/null +++ b/data/configs/waydroid.seccomp @@ -0,0 +1,21 @@ +2 +blacklist +init_module +finit_module +delete_module +_sysctl +kexec_file_load +kexec_load +reboot +adjtimex errno 0 +clock_adjtime errno 0 +clock_adjtime64 errno 0 +clock_settime errno 0 +clock_settime64 errno 0 +settimeofday errno 0 +stime errno 0 +add_key errno 0 +keyctl errno 0 +request_key errno 0 +swapoff errno 0 +swapon errno 0 diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py index a099801..a13f838 100644 --- a/tools/helpers/lxc.py +++ b/tools/helpers/lxc.py @@ -137,6 +137,7 @@ def set_lxc_config(args): elif lxc_ver <= 2: config_file = "config_1" config_path = tools.config.tools_src + "/data/configs/" + config_file + seccomp_profile = tools.config.tools_src + "/data/configs/waydroid.seccomp" command = ["mkdir", "-p", lxc_path] tools.helpers.run.user(args, command) @@ -144,6 +145,8 @@ def set_lxc_config(args): tools.helpers.run.user(args, command) command = ["sed", "-i", "s/LXCARCH/{}/".format(platform.machine()), lxc_path + "/config"] tools.helpers.run.user(args, command) + command = ["cp", "-fpr", seccomp_profile, lxc_path + "/waydroid.seccomp"] + tools.helpers.run.user(args, command) nodes = generate_nodes_lxc_config(args) config_nodes_tmp_path = args.work + "/config_nodes"