Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SCMP_ACT_LOG to log SystemCallFilter violations #16422

Closed
mika opened this issue Jul 10, 2020 · 1 comment · Fixed by #16675
Closed

Support SCMP_ACT_LOG to log SystemCallFilter violations #16422

mika opened this issue Jul 10, 2020 · 1 comment · Fixed by #16675
Labels
pid1 RFE 🎁 Request for Enhancement, i.e. a feature request

Comments

@mika
Copy link
Contributor

mika commented Jul 10, 2020

Is your feature request related to a problem? Please describe.

SystemCallFilter is a great feature for service hardening. But it's hard to establish new SystemCallFilter rules, especially when you're not the author of the service nor very familiar with its internals.

So it would be great, if systemd would support SCMP_ACT_LOG to be able to set up (new/additional) SystemCallFilter rules without resulting in either immediate process termination or returning errors (like EPERM, EACCES or EUCLEAN). Instead by logging the offending syscall it could be investigated at a later date and without causing any (unexpected) issues with the service.

Describe the solution you'd like

This was also brought up on the systemd-devel mailing list by @pebenito (see thread Seccomp allow/log action at https://lists.freedesktop.org/archives/systemd-devel/2020-July/044844.html) and I like @topimiettinen's suggestion (see https://lists.freedesktop.org/archives/systemd-devel/2020-July/044845.html) which I'm quoting hereby:

I think it would be more flexible to extend the error code return per
system call, like
SystemCallFilter=gettimeofday:LOG

For global error action, I'd propose SystemCallErrorNumber= to be
superseded by more generic

SystemCallErrorAction= KILL | LOG | errno code

Describe alternatives you've considered

I noticed that https://github.com/cloudflare/sandbox seems to be related to this (which was mentioned in https://blog.cloudflare.com/sandboxing-in-linux-with-zero-lines-of-code/).

Thanks for systemd and consideration!

@poettering poettering added pid1 RFE 🎁 Request for Enhancement, i.e. a feature request labels Jul 10, 2020
topimiettinen added a commit to topimiettinen/systemd that referenced this issue Aug 5, 2020
In addition to errno code, allow specifying "kill" or "log" as action for
SystemCallFilter=.

Closes systemd#16422.
@mika
Copy link
Contributor Author

mika commented Sep 17, 2020

This is fantastic, thanks! \o/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pid1 RFE 🎁 Request for Enhancement, i.e. a feature request
Development

Successfully merging a pull request may close this issue.

2 participants