[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] I am working on seccomp integration into docker for project Atomic.



Basically seccomp allows us to either whitelist or blacklist systcalls
that we want to expose into the container processes.

At this time coming up with a whitelist, would just about be
impossible.  I am concentrating on creating a reasonable list of
syscalls, that should not be allowed within a non-privileged container. 
Then we can allow an admin to add/remove syscalls using the docker run CLI.

The idea is to limit the attack surface of the kernel.  Just turning on
seccomp within a docker container will eliminate all non-native
syscalls, by default.  On an X86_64 system x32 and i686 syscalls will be
eliminated.

Here is the current list I am looking at.

// Some of these originated out of systemd-nspawn code

    container.RestrictSyscalls = []string{"kexec_load",
"open_by_handle_at", "init_module", "finit_module", "delete_module",
"iopl", "ioperm", "swapon", "swapoff", "sysfs", "sysctl", "adjtimex",
"clock_adjtime", "lookup_dcookie", "perf_event_open", "fanotify_init",
"kcmp"}
    // settimeofday where a0=CLOCK_REALTIME

    /* Sandstorm also blocks the following
    []string{"unshare", "acct", "add_key", "clone", "get_mempolicy",
"get_robust_list", "io_cancel", "io_destroy", "io_getevents",
"io_setup", "io_submit", "keyctl", "mbind", "migrate_pages",
"modify_ldt", "mount", "move_pages", "perf_event_open", "personality",
"pivot_root", "ptrace", "quotactl", "remap_file_pages", "request_key",
"set_mempolicy", "set_robust_list", "syslog", "uselib", "vmsplice"}
    // socket where SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_AX25)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_IPX)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_NETROM)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC)));
    // socke  where SCMP_A0(SCMP_CMP_EQ, AF_X25)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_ROSE)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_DECnet)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_SECURITY)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_KEY)));
    */

Sandstorm also blocks ptrace, which I am also thinking of adding.

I would like to have other people input, on other syscalls that we
should add, or ones that should not be on the list.

I believe few administrators will ever modify the list, so picking a
good secure list that will not break most applications is critical.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]