New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow killing process rather than thread with seccomp #11967
Comments
It may be reasonable to switch to |
Looking at this, one workaround is to set I'm also not sure that cc @poettering |
We really should never use SCMP_ACT_KILL at all. Sounds like a historic mistake, and we should ust change that. killing individual threads is never OK, it should always be the full thing. I think it would be great if we could have a new option SystemCallFiltreLog= or so which takes a boolean and allows logging of the syscalls independently of denying/allowing them. |
hmm, on my system SCMP_ACT_KILL_PROCESS doesn't exist yet, unfortunately :-( Kernel support was added in 0466bdb99e8744bc9befa8d62a317f0fd7fd7421(Aug 2017), but my libseccomp version still doesn't have it (f29)... I figure we should change our logic to pick SCMP_ACT_KILL_PROCESS dynamically if libseccomp and kernel support it, and otherwise continue to use SCMP_ACT_KILL even if it sucks for threaded apps... |
Commit adding support for It's not in any released version yet. |
Hmm, I guess we have to wait until they release a version... |
Good point, I asked for a release: seccomp/libseccomp#145 |
Moving to to v243 milestone, since libseccomp doesn't expose this yet. |
If we have it, use it. It makes a ton more sense. Fixes: systemd#11967
Fix waiting in #12430 |
If we have it, use it. It makes a ton more sense. Fixes: systemd#11967
If we have it, use it. It makes a ton more sense. Fixes: systemd#11967
If we have it, use it. It makes a ton more sense. Fixes: systemd#11967
Killing threads is often not the safest option. See also: * polachok/seccomp-sys#9 * systemd/systemd#11967 * systemd/systemd#12430
Is your feature request related to a problem? Please describe.
I'm frustrated when programs make syscalls they should not.
I've tried using
SystemCallFilter
with a Go program and seccomp killed a thread silently, blackholing some part of the program, but otherwise keeping it running: golang/go#30753.Describe the solution you'd like
I want to be able to kill whole process rather than thread. Currently
SCMP_ACT_KILL
is used:systemd/src/core/execute.c
Line 1441 in 4cea310
Seccomp also allows
SCMP_ACT_KILL_PROCESS
:It seems like
SCMP_ACT_TRAP
andSCMP_ACT_LOG
may be useful as well.The text was updated successfully, but these errors were encountered: