Created
February 21, 2014 22:06
-
-
Save nelsnelson/9144595 to your computer and use it in GitHub Desktop.
Example of successful syscall filtering.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Config contents: | |
| lxc.seccomp = /tmp/whitelist | |
| Whitelist contents: | |
| 1 | |
| whitelist | |
| 0 | |
| 1 | |
| Executing command: sudo lxc-execute -n echo-test -f /tmp/config -l DEBUG -o /tmp/lxc.log -- cat /etc/hostname | |
| Debug output: | |
| lxc-execute 1393001871.026 DEBUG lxc_start - sigchild handler set | |
| lxc-execute 1393001871.026 INFO lxc_console - no console for lxc-execute. | |
| lxc-execute 1393001871.026 INFO lxc_start - 'echo-test' is initialized | |
| lxc-execute 1393001871.030 DEBUG lxc_start - Not dropping cap_sys_boot or watching utmp | |
| lxc-execute 1393001871.030 INFO lxc_cgroup - cgroup driver cgroupfs initing for echo-test | |
| lxc-execute 1393001871.034 DEBUG lxc_conf - Set exec command to cat | |
| lxc-execute 1393001871.034 DEBUG lxc_conf - capabilities have been setup | |
| lxc-execute 1393001871.034 NOTICE lxc_conf - 'echo-test' is setup. | |
| lxc-execute 1393001871.034 WARN lxc_start - inherited fd 4 | |
| lxc-execute 1393001871.034 WARN lxc_start - inherited fd 6 | |
| lxc-execute 1393001871.038 NOTICE lxc_execute - 'cat' started with pid '6833' | |
| lxc-execute 1393001871.038 INFO lxc_console - no console for lxc-execute. | |
| lxc-execute 1393001871.038 WARN lxc_start - invalid pid for SIGCHLD | |
| lxc-execute 1393001871.038 DEBUG lxc_start - unknown exit status for init: 31 | |
| lxc-execute 1393001871.038 INFO lxc_conf - running to reset 0 nic names | |
| lxc-execute 1393001871.038 INFO lxc_error - child <6833> ended on signal (31) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env bash | |
| sudo rm -f /tmp/lxc.log | |
| rm -f /tmp/config | |
| cat << EOF > /tmp/config | |
| lxc.seccomp = /tmp/whitelist | |
| EOF | |
| rm -f /tmp/whitelist | |
| cat << EOF > /tmp/whitelist | |
| 1 | |
| whitelist | |
| 0 | |
| 1 | |
| EOF | |
| cmd="sudo lxc-execute -n echo-test -f /tmp/config -l DEBUG -o /tmp/lxc.log -- cat /etc/hostname" | |
| echo | |
| echo "Config contents:" | |
| cat /tmp/config | |
| echo | |
| echo "Whitelist contents:" | |
| cat /tmp/whitelist | |
| cmd="sudo lxc-execute -n echo-test -f /tmp/config -l DEBUG -o /tmp/lxc.log -- cat /etc/hostname" | |
| echo | |
| echo "Executing command: ${cmd}" | |
| echo `${cmd}` | |
| echo | |
| echo "Debug output:" | |
| cat /tmp/lxc.log | |
| sudo rm -f /tmp/lxc.log | |
| #rm -f /tmp/config | |
| #rm -f /tmp/whitelist | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment