Skip to content

Investigate Syscalls to Block with seccomp-bpf #106

New issue
New issue
Open
Open
Investigate Syscalls to Block with seccomp-bpf#106
Labels
area: nsjailRelated to NsJail and its configurationpriority: 3 - lowstatus: planningDiscussing detailstype: featureNew feature or request
@MarkKoz

Description

@MarkKoz
MarkKoz
opened on Apr 8, 2021

A long time ago I made a rough draft of a filter:

seccomp_string: "KILL {"
seccomp_string: "   execve,"
seccomp_string: "   execveat,"
seccomp_string: "   shmget,"
seccomp_string: "   shmat,"
seccomp_string: "   shmdt,"
seccomp_string: "   shmctl,"
seccomp_string: "   fork,"
seccomp_string: "   clone"
seccomp_string: "}"
seccomp_string: "DEFAULT ALLOW"

However, because nsjail applies the filter to the forked process before it changes from nsjail to Python, blocking some syscalls may interfere with the functionality of nsjail. The most important one is execve, which is what changes the fork from nsjail to Python, so it would have to be excluded from the above filter.

The rest of the syscalls above are merely redundancies given the current nsjail configuration. The shared memory syscalls are just there as insurance since the exploit was already fixed long ago by not mounting the stuff needed for it to work. fork and clone are redundant since the PID limit is 1 anyway.

Any other ideas for syscalls to filter are welcome.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: nsjailRelated to NsJail and its configurationpriority: 3 - lowstatus: planningDiscussing detailstype: featureNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions