Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

app-level seccomp isolator #1614

Closed
alban opened this issue Oct 15, 2015 · 22 comments
Closed

app-level seccomp isolator #1614

alban opened this issue Oct 15, 2015 · 22 comments
Labels
area/security depends-on/appc priority/P0

Comments

@alban
Copy link
Member

alban commented Oct 15, 2015

It would be nice to have an app-level isolator for filtering syscalls.

It will require a new isolator in the spec: appc/spec#529

Extended BPF should be explored too: https://lwn.net/Articles/603983/

Ideally, systemd could implement a new property "SyscallWhitelist=" in the service unit files and rkt would use that.
@jonboulle
Copy link
Contributor

/cc @mjg59

@alban
Copy link
Member Author

alban commented Nov 5, 2015

http://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=

@iaguis
Copy link
Member

iaguis commented Nov 5, 2015

😁

@jonboulle jonboulle added this to the v1+ milestone Jan 15, 2016
@jessfraz
Copy link

I have a whitelist 😇 do you want help?

@alban
Copy link
Member Author

alban commented Apr 21, 2016

@jfrazelle sure!

One way to easily try your white list in rkt is to add the SystemCallFilter= parameter in WritePrepareAppTemplate(), near CapabilityBoundingSet=. That would define per-app seccomp rules.

Since the systemd unit file for the app currently uses the "appexec" helper, you will need to allow the syscalls used by appexec, such as chroot, setresuid, setresgid. Does your whitelist allow that? To disallow the syscalls used by the appexec helper, more changes would be needed (either add more code in appexec for seccomp support, or remove appexec completely via #679).

To define per-pod seccomp rules, we would need either changes in systemd-nspawn's setup_seccomp(), or to add SystemCallFilter= in the systemd service file that starts rkt. At a first glance, starting with per-app seccomp rules seems the easiest option.

@jonboulle jonboulle modified the milestones: v1.6.0, v1+, v1.5.0 Apr 21, 2016
@alban
Copy link
Member Author

alban commented Apr 22, 2016
edited
Loading

Since the systemd unit file for the app currently uses the "appexec" helper, you will need to allow the syscalls used by appexec, such as chroot, setresuid, setresgid. Does your whitelist allow that? To disallow the syscalls used by the appexec helper, more changes would be needed (either add more code in appexec for seccomp support, or remove appexec completely via #679).

Update on this: @iaguis is working on removing appexec in #2493, so we will not need to write more C code in appexec. Instead, using SystemCallFilter= in WritePrepareAppTemplate() should be enough.

@yifan-gu
Copy link
Contributor

Ref kubernetes/kubernetes#24602

@s-urbaniak
Copy link
Contributor

@jfrazelle any update on this? #2493 is merged in 1.5.0 so are you still up for it?

@s-urbaniak s-urbaniak modified the milestones: v1.6.0, v1.5.0 Apr 28, 2016
@alban alban mentioned this issue May 8, 2016
Closed
4 tasks
@philips
Copy link
Contributor

philips commented May 8, 2016

@jfrazelle Ping? If you want to take a swing at this it would be awesome!

@jessfraz
Copy link

jessfraz commented May 8, 2016
edited
Loading

Sorry yes will do :) working on kubes seccomp PR now then this

On Sunday, May 8, 2016, Brandon Philips notifications@github.com wrote:

@jfrazelle https://github.com/jfrazelle Ping? If you want to take a
swing at this it would be awesome!


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#1614 (comment)

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

@philips
Copy link
Contributor

philips commented May 10, 2016

@jfrazelle sounds great, looking forward to it!

@alban alban modified the milestones: v1.7.0, v1.6.0 May 12, 2016
@jonboulle
Copy link
Contributor

@jfrazelle do you think you'll have any bandwidth to get to this soon? Otherwise we might start working on it as we'd love to see it in our next release. Thanks!

@jessfraz
Copy link

ok so sorry, definitely this weekend!

On Fri, May 20, 2016 at 8:52 AM, Jonathan Boulle notifications@github.com
wrote:

@jfrazelle https://github.com/jfrazelle do you think you'll have any
bandwidth to get to this soon? Otherwise we might start working on it as
we'd love to see it in our next release. Thanks!


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#1614 (comment)

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

@jessfraz
Copy link

aaaand no time sorry full time job + life is hard :(

On Fri, May 20, 2016 at 9:23 AM, Jessica Frazelle me@jessfraz.com wrote:

ok so sorry, definitely this weekend!

On Fri, May 20, 2016 at 8:52 AM, Jonathan Boulle <notifications@github.com

wrote:

@jfrazelle https://github.com/jfrazelle do you think you'll have any
bandwidth to get to this soon? Otherwise we might start working on it as
we'd love to see it in our next release. Thanks!


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#1614 (comment)

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

@iaguis
Copy link
Member

iaguis commented May 25, 2016

Let's try to get it for the next release.

@iaguis iaguis modified the milestones: v1.8.0, v1.7.0 May 25, 2016
@alban alban mentioned this issue May 30, 2016
Closed
@lucab
Copy link
Member

lucab commented Jun 1, 2016
edited
Loading

Initial WIP draft for appc at appc/spec#620

Current appc/spec proposal at appc/spec#621. Slightly reworked since the initial draft to address some concerns related to groups and defaults, I don't expect the proposed spec to change drastically anymore at this point.

@lucab
Copy link
Member

lucab commented Jun 8, 2016

rkt PR currently up at #2753. It follows the aggressive path of applying a default whitelist, which can be explicitly opted-out. Still marked as WIP as stage1 seems un-happy about unprivileged pods and seccomp.

@lucab lucab modified the milestones: v1.9.0, v1.8.0 Jun 8, 2016
@lucab
Copy link
Member

lucab commented Jun 8, 2016

Bumped milestone, appc spec update still pending. Current plan is to solve the unprivileged pods issue and land it with default whitelisting in 1.9.0; fallback plan is to merge support first and switch the default once everything is fine.

@djtm
Copy link

djtm commented Jun 12, 2016

Would be great if the docker seccomp profile files could be reused.

@lucab lucab changed the title app-level seccomp isolator, whitelist of syscalls app-level seccomp isolator Jun 21, 2016
@lucab
Copy link
Member

lucab commented Jun 22, 2016

@djtm yes it will expose (among the others) a docker-like profile. Feel free to take a look at #2753.

@lucab lucab removed this from the v1.9.0 milestone Jun 22, 2016
@djtm
Copy link

djtm commented Jun 23, 2016

Great! looks like it would even work with the kvm stage 1.

@lucab
Copy link
Member

lucab commented Aug 3, 2016

Closed via #2753.

@lucab lucab closed this as completed Aug 3, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/security depends-on/appc priority/P0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@alban @philips @lucab @s-urbaniak @iaguis @jessfraz @jonboulle @yifan-gu @djtm