Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters
From: Tycho Andersen <tycho@tycho.pizza>
Date: 2021-05-17 15:46:20
Also in:
linux-security-module
Possibly related (same subject, not in this thread)
- 2021-06-09 · Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Jinghao Jia <hidden>
- 2021-06-09 · Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Jinghao Jia <hidden>
- 2021-06-01 · Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Kees Cook <hidden>
- 2021-05-24 · Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Sargun Dhillon <hidden>
- 2021-05-20 · Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Tianyin Xu <hidden>
On Sun, May 16, 2021 at 03:38:00AM -0500, Tianyin Xu wrote:
On Sat, May 15, 2021 at 10:49 AM Andy Lutomirski [off-list ref] wrote:quoted
On 5/10/21 10:21 PM, YiFei Zhu wrote:quoted
On Mon, May 10, 2021 at 12:47 PM Andy Lutomirski [off-list ref] wrote:quoted
On Mon, May 10, 2021 at 10:22 AM YiFei Zhu [off-list ref] wrote:quoted
From: YiFei Zhu <redacted> Based on: https://urldefense.com/v3/__https://lists.linux-foundation.org/pipermail/containers/2018-February/038571.html__;!!DZ3fjg!thbAoRgmCeWjlv0qPDndNZW1j6Y2Kl_huVyUffr4wVbISf-aUiULaWHwkKJrNJyo$ This patchset enables seccomp filters to be written in eBPF. Supporting eBPF filters has been proposed a few times in the past. The main concerns were (1) use cases and (2) security. We have identified many use cases that can benefit from advanced eBPF filters, such as:I haven't reviewed this carefully, but I think we need to distinguish a few things: 1. Using the eBPF *language*. 2. Allowing the use of stateful / non-pure eBPF features. 3. Allowing the eBPF programs to read the target process' memory. I'm generally in favor of (1). I'm not at all sure about (2), and I'm even less convinced by (3).quoted
* exec-only-once filter / apply filter after execThis is (2). I'm not sure it's a good idea.The basic idea is that for a container runtime it may wait to execute a program in a container without that program being able to execve another program, stopping any attack that involves loading another binary. The container runtime can block any syscall but execve in the exec-ed process by using only cBPF. The use case is suggested by Andrea Arcangeli and Giuseppe Scrivano. @Andrea and @Giuseppe, could you clarify more in case I missed something?We've discussed having a notifier-using filter be able to replace its filter. This would allow this and other use cases without any additional eBPF or cBPF code.A notifier is not always a solution (even ignoring its perf overhead). One problem, pointed out by Andrea Arcangeli, is that notifiers need userspace daemons. So, it can hardly be used by daemonless container engines like Podman.
I'm not sure I buy this argument. Podman already has a conmon instance for each container, this could be a child of that conmon process, or live inside conmon itself. Tycho