[RFC/PATCH: 0/7] Add seccomp filtering support to Upstart
David Gaarenstroom
david.gaarenstroom at gmail.com
Thu Feb 21 22:23:31 UTC 2013
December last year I announced I wanted to add seccomp filter support
to upstart, and since that some things got in the way but here is my
current code. These patches still have a RFC status as I expect some
remarks anyway, and at the moment I don't have test-cases readily
available. Nevertheless I'd like to know if I'm on the right track.
These patches a a new dependency on "gperf" which is used to create
lookup tables for errno's and syscalls. Other than that there are no
new dependencies. Part 2 and 3 add the seccomp-filter creation code
itself, which is based on the same code as my guardian "seccomp
wrapper" at https://gitorious.org/guardian/guardian
As agreed earlier, the seccomp-filter syntax is defined as:
seccomp filter
: "seccomp-filter" WS [ '~' ] seccomp_rules;
seccomp_rules
: seccomp_rule ( WS seccomp_rule )*;
seccomp_rule
: systemcall ( ':' policy )?;
policy
: "allow"
| "errno" ( '(' errno ')' )?
| "kill"
| "trace"
| "trap" ( '(' errno ')' )?
;
WS : ' '|'\t'|'\n';
The default policy is "allow explicitly listed syscalls as default
policy, and use the kill policy for anything not explicitly listed".
That is, unless the set of rules is preceded with "~" which reverts
this policy, just like Systemd does. (deny explicitly listed syscalls
as default policy, allow anything not explicitly listed")
E.g.:
seccomp-filter write
...for "echo hello world".
or:
seccomp-filter getrlimit:allow setrlimit:errno(EACCES)
...for a fictional program that is allowed to call getrlimit, but
calls to setrlimit are simply ignored and errno is set to EACCES.
or:
seccomp-filter ~setuid socket
...to prevent the usage of setuid and socket
Kind regards,
David Gaarenstroom
More information about the upstart-devel
mailing list