[lxc-devel] [RFC] Seccomp default policies and rules

Serge Hallyn serge.hallyn at ubuntu.com
Thu Mar 12 16:14:11 UTC 2015


Quoting Purcareata Bogdan (b43198 at freescale.com):
> Hello,
> 
> While playing around with containers and seccomp, I've come up with
> a couple of thoughts, and I would like to hear some official input
> on these:
> 
> 1. There's currently no way to set a default rule action - this is
> set to "kill" for blacklist policies, and "allow" for whitelist
> policies. I thought it would be nice to add the possibility to e.g.
> set the default rule action to "errno #" when using a blacklist
> policy, which can be overridden on a per-syscall basis. This implies
> changing the format of the seccomp policy file, what do you think
> would be the best way to do that?

Add a new keyword for the new default action?  So we have 'blacklist',
'whitelist', 'errno', and heck maybe 'trap' and 'trace'.

> 2. This is not particularly related to lxc/seccomp, but there's
> currently no sanity check of the soundness of the seccomp context.
> Basically meaning that for whitelist polcies, the policy action
> should be restrictive (kill, trap, errno) and rule actions should be
> permissive (allow), and viceversa. You can easily shoot yourself in
> the foot by writing something like "blacklist kill" in your seccomp
> policy file (and I did). Albeit libseccomp lets you do this, so it's
> up to the admin to make sure the context is sound, I think some
> basic checks and warnings when setting the actions would be nice (at
> least for newbies like myself).

Perhaps this should be done by a separate program.  For that matter
people might appreciate a program that validates a whole container
configuration.  The seccomp validation program could be run in a
container start hook.


More information about the lxc-devel mailing list