[lxc-devel] seccomp maxnr option?
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Jun 24 14:23:33 UTC 2014
Hi,
Not too long ago we introduced the v2 seccomp policy format, which allows
for blacklists. One problem with blacklists is that on a newer kernel there
may be new syscalls which shouldn't be trusted.
So I'd like to introduce a max-syscall-number option, so that any higher
syscall number will be also blacklisted. This is actually efficient to do
with a SCMP_CMP_GT comparison added to a rule.
I'm wondering how this is best specified. There are a few otions:
1. if we think this is the only comparison rule we'll frequently want, we
could extend the policy language so that
2
blacklist maxno 500
finit_module errno 1
Would mean that anything higher than 500 would be blacklisted.
2. We could define seccomp policy format version 3, which allows more
general rules, like
3
blacklist
finit_module errno 1
GT 500 errno 1
LT 3 kill
Preferences? Other ideas?
More information about the lxc-devel
mailing list