Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Change seccomp blacklist to a whitelist #18979
Dec 29, 2015
I was wondering why we weren't using a whitelist instead. The whitelist makes more sense to me for one main reason: default action is secure (http://stackoverflow.com/a/504424/486035).
Ok I have tested this extensively: tested that individual syscalls are being correctly filtered, used it as my default docker install and built stuff (eg docker/docker, Linux kernel compile), double checked the syscall list for 32 bits, arm, powerpc. So LGTM.
For reference easiest way to check individual syscalls being filtered is:
Thanks I can add those as integration tests :) and I'm working on all new docs with the old comments as well
On Dec 30, 2015, 06:59 -0800, Justin Cormacknotifications@github.com, wrote:
referenced this pull request
Jan 3, 2016
Looking good after more testing.