[pve-devel] [PATCH container 3/4] mask 'mknod' feature by kernel version

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Jan 30 09:27:32 CET 2020


Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/LXC.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 9e25ad4..b4d3b7d 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -534,6 +534,11 @@ sub make_seccomp_config {
     # leave up to the kernel. We may in the future remove this if seccomp gets
     # a way to tell the kernel to "continue" a syscall.
     if ($features->{mknod}) {
+	my ($ok, $kernel) = check_kernel_release(5, 3);
+	if (!$ok) {
+	    die "'mknod' feature requested, but kernel too old (found $kernel, required >= 5.3)\n";
+	}
+
 	$raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
 
 	$rules->{mknod} = [
-- 
2.20.1




More information about the pve-devel mailing list