[lxc-devel] seccomp maxnr option?

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 24 14:23:33 UTC 2014


Hi,

Not too long ago we introduced the v2 seccomp policy format, which allows
for blacklists.  One problem with blacklists is that on a newer kernel there
may be new syscalls which shouldn't be trusted.

So I'd like to introduce a max-syscall-number option, so that any higher
syscall number will be also blacklisted.  This is actually efficient to do
with a SCMP_CMP_GT comparison added to a rule.

I'm wondering how this is best specified.  There are a few otions:

1. if we think this is the only comparison rule we'll frequently want, we
could extend the policy language so that

2
blacklist maxno 500
finit_module errno 1

Would mean that anything higher than 500 would be blacklisted.

2.  We could define seccomp policy format version 3, which allows more
general rules, like

3
blacklist
finit_module errno 1
GT 500 errno 1
LT 3 kill

Preferences?  Other ideas?


More information about the lxc-devel mailing list