[lxc-devel] [RFC] Seccomp default policies and rules
Purcareata Bogdan
b43198 at freescale.com
Thu Mar 12 10:33:28 UTC 2015
Hello,
While playing around with containers and seccomp, I've come up with a
couple of thoughts, and I would like to hear some official input on these:
1. There's currently no way to set a default rule action - this is set
to "kill" for blacklist policies, and "allow" for whitelist policies. I
thought it would be nice to add the possibility to e.g. set the default
rule action to "errno #" when using a blacklist policy, which can be
overridden on a per-syscall basis. This implies changing the format of
the seccomp policy file, what do you think would be the best way to do that?
2. This is not particularly related to lxc/seccomp, but there's
currently no sanity check of the soundness of the seccomp context.
Basically meaning that for whitelist polcies, the policy action should
be restrictive (kill, trap, errno) and rule actions should be permissive
(allow), and viceversa. You can easily shoot yourself in the foot by
writing something like "blacklist kill" in your seccomp policy file (and
I did). Albeit libseccomp lets you do this, so it's up to the admin to
make sure the context is sound, I think some basic checks and warnings
when setting the actions would be nice (at least for newbies like myself).
Thanks,
Bogdan P.
More information about the lxc-devel
mailing list