-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BPF LSM Meta Tracker #795
Comments
To secure file operations with BPF LSM we need to expand on the hooks we use. I found this https://stackoverflow.com/a/33078711 but will have to experiment and check. Or should we just enforce rules using PATH hooks and mark it a requirement? for full enforcement. |
So as I understand: Btw, taking a step back, is it possible to block unlink/file create access using seccomp-bpf? If it is possible then we can think of an alt strategy. |
Right
Makes sense. I will look into it and try to execute things.
I was under the assumption that we can only have seccomp filters per container but not entity specific inside the container? Like we have the capability list, we have a syscall list as seccomp profile. That would mean we will enforce create/unlink per container not based on directories inside container. Is it not the case 🤔 |
Inode hooks should work fine, Parking the implementation and further research for later. |
We introduced BPF LSM enforcement in v0.5, which has an initial implementation and has bugs and lacks some features. This issue thread is a tracker for all these pending work items and bug reports.
The text was updated successfully, but these errors were encountered: