-
Notifications
You must be signed in to change notification settings - Fork 885
app-level seccomp isolator #1614
Comments
/cc @mjg59 |
😁 |
I have a whitelist 😇 do you want help? |
@jfrazelle sure! One way to easily try your white list in rkt is to add the SystemCallFilter= parameter in WritePrepareAppTemplate(), near CapabilityBoundingSet=. That would define per-app seccomp rules. Since the systemd unit file for the app currently uses the "appexec" helper, you will need to allow the syscalls used by appexec, such as To define per-pod seccomp rules, we would need either changes in systemd-nspawn's setup_seccomp(), or to add SystemCallFilter= in the systemd service file that starts rkt. At a first glance, starting with per-app seccomp rules seems the easiest option. |
Update on this: @iaguis is working on removing appexec in #2493, so we will not need to write more C code in appexec. Instead, using SystemCallFilter= in WritePrepareAppTemplate() should be enough. |
@jfrazelle any update on this? #2493 is merged in 1.5.0 so are you still up for it? |
@jfrazelle Ping? If you want to take a swing at this it would be awesome! |
Sorry yes will do :) working on kubes seccomp PR now then this On Sunday, May 8, 2016, Brandon Philips notifications@github.com wrote:
Jessie Frazelle |
@jfrazelle sounds great, looking forward to it! |
@jfrazelle do you think you'll have any bandwidth to get to this soon? Otherwise we might start working on it as we'd love to see it in our next release. Thanks! |
ok so sorry, definitely this weekend! On Fri, May 20, 2016 at 8:52 AM, Jonathan Boulle notifications@github.com
Jessie Frazelle |
aaaand no time sorry full time job + life is hard :( On Fri, May 20, 2016 at 9:23 AM, Jessica Frazelle me@jessfraz.com wrote:
Jessie Frazelle |
Let's try to get it for the next release. |
Current appc/spec proposal at appc/spec#621. Slightly reworked since the initial draft to address some concerns related to groups and defaults, I don't expect the proposed spec to change drastically anymore at this point. |
rkt PR currently up at #2753. It follows the aggressive path of applying a default whitelist, which can be explicitly opted-out. Still marked as WIP as stage1 seems un-happy about unprivileged pods and seccomp. |
Bumped milestone, appc spec update still pending. Current plan is to solve the unprivileged pods issue and land it with default whitelisting in 1.9.0; fallback plan is to merge support first and switch the default once everything is fine. |
Would be great if the docker seccomp profile files could be reused. |
Great! looks like it would even work with the kvm stage 1. |
Closed via #2753. |
It would be nice to have an app-level isolator for filtering syscalls.
It will require a new isolator in the spec: appc/spec#529
Extended BPF should be explored too: https://lwn.net/Articles/603983/
Ideally, systemd could implement a new property "SyscallWhitelist=" in the service unit files and rkt would use that.
The text was updated successfully, but these errors were encountered: