[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[atomic-devel] I am working on seccomp integration into docker for project Atomic.

From: Daniel J Walsh <dwalsh redhat com>
To: atomic-devel projectatomic io
Subject: [atomic-devel] I am working on seccomp integration into docker for project Atomic.
Date: Tue, 28 Oct 2014 07:59:57 -0400

Basically seccomp allows us to either whitelist or blacklist systcalls
that we want to expose into the container processes.

At this time coming up with a whitelist, would just about be
impossible.  I am concentrating on creating a reasonable list of
syscalls, that should not be allowed within a non-privileged container. 
Then we can allow an admin to add/remove syscalls using the docker run CLI.

The idea is to limit the attack surface of the kernel.  Just turning on
seccomp within a docker container will eliminate all non-native
syscalls, by default.  On an X86_64 system x32 and i686 syscalls will be
eliminated.

Here is the current list I am looking at.

// Some of these originated out of systemd-nspawn code

    container.RestrictSyscalls = []string{"kexec_load",
"open_by_handle_at", "init_module", "finit_module", "delete_module",
"iopl", "ioperm", "swapon", "swapoff", "sysfs", "sysctl", "adjtimex",
"clock_adjtime", "lookup_dcookie", "perf_event_open", "fanotify_init",
"kcmp"}
    // settimeofday where a0=CLOCK_REALTIME

    /* Sandstorm also blocks the following
    []string{"unshare", "acct", "add_key", "clone", "get_mempolicy",
"get_robust_list", "io_cancel", "io_destroy", "io_getevents",
"io_setup", "io_submit", "keyctl", "mbind", "migrate_pages",
"modify_ldt", "mount", "move_pages", "perf_event_open", "personality",
"pivot_root", "ptrace", "quotactl", "remap_file_pages", "request_key",
"set_mempolicy", "set_robust_list", "syslog", "uselib", "vmsplice"}
    // socket where SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_AX25)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_IPX)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_NETROM)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC)));
    // socke  where SCMP_A0(SCMP_CMP_EQ, AF_X25)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_ROSE)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_DECnet)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_SECURITY)));
    // socket where SCMP_A0(SCMP_CMP_EQ, AF_KEY)));
    */

Sandstorm also blocks ptrace, which I am also thinking of adding.

I would like to have other people input, on other syscalls that we
should add, or ones that should not be on the list.

I believe few administrators will ever modify the list, so picking a
good secure list that will not break most applications is critical.

Follow-Ups:
- Re: [atomic-devel] I am working on seccomp integration into docker for project Atomic.
  - From: Jon Stanley
- Re: [atomic-devel] I am working on seccomp integration into docker for project Atomic.
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]