[WIP] ace: initial seccomp proposal #620
Conversation
|
Looks fantastic! |
|
This also captures some prior offline discussions with @s-urbaniak, which may want to chime in to double-check. |
|
|
||
| l.val = v | ||
|
|
||
| return err |
There was a problem hiding this comment.
return nil, err cannot be non-nil here
|
@lucab just nits really :-) As far as I remember we discussed that the seccomp filter doesn't really make sense used without the NoNewPrivileges isolator. Is this something we should document/code? |
|
@s-urbaniak yes, in the bigger picture there is some relationship between seccomp, capabilities and no-new-privs to avoid unprivileged user re-gaining enough privileges (CAP_SYS_ADMIN) to revert the filter. But I don't think this should be part of the spec (or maybe just a "MAY" note). |
|
I'll let this sediment this here for some time, waiting for major concerns on the spec side. I'll then move it to non-wip with a final refinement pass. |
|
Moved to proposal stage, spec and code now at #621. |
| "errno": "ENOTSUP", | ||
| "set": [ | ||
| "chown", | ||
| "chmod" |
There was a problem hiding this comment.
Should we give an example with some syscalls that should reasonably not be given to containers, so that it is more realistic? Such as:
- reboot
- init_module, finit_module, delete_module
- kexec_load
Some of them found from systemd-nspawn.
There was a problem hiding this comment.
I think it will make sense, yes. Another source for examples is Docker blacklist.
An initial proposal for seccomp support as an ACE Linux-specific isolator.