[pve-devel] [PATCH container] disable btrfs ioctl in user namespaces

[pve-devel] [PATCH container] disable btrfs ioctl in user namespaces

[Wolfgang Bumiller]

Changes the seccomp profile to return EPERM on every btrfs
ioctl.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/LXC.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 93286f6..393da1b 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -435,6 +435,15 @@ sub make_seccomp_config {
 
     my $rules = {
 	keyctl => ['errno 38'],
+
+	# Disable btrfs ioctrls since they don't work particularly well in user namespaces.
+	# Particularly, without the mount option to enable rmdir removing snapshots, user
+	# namespaces can create snapshots but neither `show` or `delete` them, which is quite
+	# horrible, so for now, just disable this entirely:
+	#
+	# BTRFS_IOCTL_MAGIC 0x94, _IOC type shift is 8,
+	# so `(req & 0xFF00) == 0x9400` is a btrfs ioctl and gets an EPERM
+	ioctl  => ['errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]'],
     };
 
     my $raw_conf = '';
-- 
2.30.2

[pve-devel] applied: [PATCH container] disable btrfs ioctl in user namespaces

[Thomas Lamprecht]

On 24.06.21 16:09, Wolfgang Bumiller wrote:
> Changes the seccomp profile to return EPERM on every btrfs
> ioctl.
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>  src/PVE/LXC.pm | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
>

applied, thanks!