seccomp: honor seccomp flags #85
Conversation
|
Should we add a flag to allow these to be customized by the caller? I would guess we don't need to worry about SECCOMP_FILTER_FLAG_SPEC_ALLOW since this can be handled by a syscall. But SECCOMP_FILTER_FLAG_SPEC_ALLOW, do you see an admin as ever wanting this? Turning it off would not effect a system that already was doing the filtering correct? |
|
I'd like to make it configurable, but I am not sure what would be the best way to pass down this information to the OCI runtime. Should we propose a change for the OCI specs? |
|
That'd be the best way to handle it. The specs are currently very far
behind the kernel on Seccomp features.
…On Mon, Sep 9, 2019, 08:45 Giuseppe Scrivano ***@***.***> wrote:
I'd like to make it configurable, but I am not sure what would be the best
way to pass down this information to the OCI runtime. Should we propose a
change for the OCI specs?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#85?email_source=notifications&email_token=AB3AOCFXLENMUYWVZRFJPBDQIZANHA5CNFSM4IU2GDBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6HNWRI#issuecomment-529455941>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3AOCGMR6OH72XT2PXQIGDQIZANHANCNFSM4IU2GDBA>
.
|
giuseppe
changed the title
|
so let's do this correctly, I've opened a PR for the runtime-spec: opencontainers/runtime-spec#1018 I'll rework this patch to read the flags from the OCI configuration file once the PR for runtime-spec is accepted |
|
Well I have no problem letting this patch be the default IE These fields are not set, so we log and do not turn on the security separation. Once we have support for the flags in OCI, then we use them if specified. |
|
I think we should probably default TSYNC to on... Actually, does TSYNC even make sense here? As long as the same thread that sets up seccomp launches the container, every child in the container will inherit the full ruleset, and the only things affected are lingering |
crun is using a single thread so it should not make any difference
the only difference is that once the flags will be added to the OCI specs, we will be reverting back to not have them set by default. If that is fine, then we can merge this PR |
|
Well I was thinking more the absense of flags was to turn them on, if there were flags, then we use those defaults. |
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
now the OCI runtime specs support to specify seccomp flags to use with the seccomp(2) syscall. The accepted options are: - SECCOMP_FILTER_FLAG_TSYNC - SECCOMP_FILTER_FLAG_SPEC_ALLOW - SECCOMP_FILTER_FLAG_LOG If there is no selection for the flags to use (i.e. there is no seccomp->flags specified), a default configuration is used: SECCOMP_FILTER_FLAG_LOG and SECCOMP_FILTER_FLAG_SPEC_ALLOW. From the man page: SECCOMP_FILTER_FLAG_LOG (since Linux 4.14) All filter return actions except SECCOMP_RET_ALLOW should be logged. An administrator may override this filter flag by preventing specific actions from being logged via the /proc/sys/kernel/seccomp/actions_logged file. SECCOMP_FILTER_FLAG_SPEC_ALLOW (since Linux 4.17) Disable Speculative Store Bypass mitigation. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
giuseppe
force-pushed
the
seccomp-enable-filter
branch
from
1937af9 to
fefabff
Compare
giuseppe
changed the title
|
the changes went into the OCI runtime specs. I've adapted the PR and the description to that. I've changed it to use |
|
@vrothberg FYI |
now the OCI runtime specs support to specify seccomp flags to use with the seccomp(2) syscall.
The accepted options are:
If there is no selection for the flags to use (i.e. there is no seccomp->flags specified), a default configuration is used:
SECCOMP_FILTER_FLAG_LOG and SECCOMP_FILTER_FLAG_SPEC_ALLOW.
From the man page:
SECCOMP_FILTER_FLAG_LOG (since Linux 4.14)
All filter return actions except SECCOMP_RET_ALLOW should be logged.
An administrator may override this filter flag by preventing
specific actions from being logged via the
/proc/sys/kernel/seccomp/actions_logged file.
SECCOMP_FILTER_FLAG_SPEC_ALLOW (since Linux 4.17)
Disable Speculative Store Bypass mitigation.
Signed-off-by: Giuseppe Scrivano giuseppe@scrivano.org