~serge-hallyn/ubuntu/quantal/lxc/lxc-fixapi

Viewing changes to README

Committer: Package Import Robot
Author(s): Serge Hallyn, Stéphane Graber, Serge Hallyn
Date: 2012-08-08 10:43:06 UTC
Revision ID: package-import@ubuntu.com-20120808104306-2s7xdim4rvt0e2k6

Tags: 0.8.0~rc1-4ubuntu22

[ Stéphane Graber ]
* Fix call to echo in lxc-start-ephemeral that was literally showing
'$LXC_BASE' instead of the variable's value.

[ Serge Hallyn ]
* Introduce support for seccomp.

files added:
.pc/0097-seccomp

.pc/0097-seccomp/README

.pc/0097-seccomp/configure.ac

.pc/0097-seccomp/src

.pc/0097-seccomp/src/lxc

.pc/0097-seccomp/src/lxc/Makefile.am

.pc/0097-seccomp/src/lxc/conf.h

.pc/0097-seccomp/src/lxc/confile.c

.pc/0097-seccomp/src/lxc/lxc-clone.in

.pc/0097-seccomp/src/lxc/lxcseccomp.h

.pc/0097-seccomp/src/lxc/seccomp.c

.pc/0097-seccomp/src/lxc/start.c

debian/patches/0097-seccomp

src/lxc/lxcseccomp.h

src/lxc/seccomp.c

files modified:
.pc/applied-patches

README

configure.ac

debian/changelog

debian/local/lxc-start-ephemeral

debian/patches/series

src/lxc/Makefile.am

src/lxc/conf.h

src/lxc/confile.c

src/lxc/lxc-clone.in

src/lxc/start.c

Show diffs side-by-side

added added

removed removed

README

AUTHOR

Daniel Lezcano <daniel.lezcano@free.fr>

Seccomp with LXC

----------------

To restrict a container with seccomp, you must specify a profile which is

basically a whitelist of system calls it may execute. In the container

config file, add a line like

lxc.seccomp = /var/lib/lxc/q1/seccomp.full

I created a usable (but basically worthless) seccomp.full file using

cat > seccomp.full << EOF

whitelist

EOF

for i in `seq 0 300`; do

echo $i >> secomp.full

done

for i in `seq 1024 1079`; do

echo $i >> seccomp.full

done

-- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600

Older »