Allow for seccomp blacklist rather than whitelisting
Bug #1615773 reported by
Stéphane Graber
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
LXD, LXC and quite probably Docker would benefit from the ability to define a syscall blacklist rather than a whitelist.
This would be to block known harmful syscalls but still allow EVERYTHING else, including syscalls which are not yet known to snappy or seccomp.
This would be done as a blacklist BPF filter and NOT as a whitelist of all other syscalls, which wouldn't work as it would only ever cover things that were known at the time seccomp or snappy were built and so would block anything newer.
| tags: | added: lxd |
Revision history for this message
| Zygmunt Krynicki (zyga) wrote | #1 |
| tags: | added: snapd-interface |
| Changed in snappy: | |
| status: | New → Triaged |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in snappy: | |
| importance: | Undecided → Wishlist |
| status: | Triaged → New |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #3 |
| Changed in snappy: | |
| status: | New → Triaged |
| affects: | snappy → snapd |
To post a comment you must log in.
I think this is doable with a few tweaks to snap-confine and snapd. Please ack the design with jdstrand and niemayer and I can implement this.