[lxc-devel] seccomp maxnr option?

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 24 15:03:18 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Tue, Jun 24, 2014 at 02:23:33PM +0000, Serge Hallyn wrote:
> > Hi,
> > 
> > Not too long ago we introduced the v2 seccomp policy format, which allows
> > for blacklists.  One problem with blacklists is that on a newer kernel there
> > may be new syscalls which shouldn't be trusted.
> > 
> > So I'd like to introduce a max-syscall-number option, so that any higher
> > syscall number will be also blacklisted.  This is actually efficient to do
> > with a SCMP_CMP_GT comparison added to a rule.
> > 
> > I'm wondering how this is best specified.  There are a few otions:
> > 
> > 1. if we think this is the only comparison rule we'll frequently want, we
> > could extend the policy language so that
> > 
> > 2
> > blacklist maxno 500
> > finit_module errno 1
> > 
> > Would mean that anything higher than 500 would be blacklisted.
> > 
> > 2.  We could define seccomp policy format version 3, which allows more
> > general rules, like
> > 
> > 3
> > blacklist
> > finit_module errno 1
> > GT 500 errno 1
> > LT 3 kill
> > 
> > Preferences?  Other ideas?
> 
> I'd prefer option 2 as it also allows you to set the default action.
> However, can we easily make this even more flexible by allowing ranges?
> 
> Basically supporting:
>  - GT 500 <action> (for > 500)
>  - LT 3 <action> (for < 3)
>  - RANGE 100 200 <action> (for >= 100 and <= 200)
> 
> If it's easy, it'd also be nice being able to do that using the syscall
> name rather than its number, so that you can basically say "I'm happy
> with the syscall list up until the introduction of X" and not have to
> care about the particular syscall number for each given arches.

Yeah, that was how I pictured it.

> To block anything introduced after setns:
>  - GT setns errno 1
> 
> To make all the inotify functions return silently:
>  - RANGE inotify_init inotify_rm_watch errno 0
> 
> 
> Is that reasonably easy to implement or am I dreaming? :)

Should be easy - the only reason I didn't add RANGE was that it didn't
really seem useful, but it should just consist of adding a few more
elements to the rule array being added.

-serge


More information about the lxc-devel mailing list