[PATCH RFC 0/4] Seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Sun Jul 14 09:35:09 UTC 2019
On Sat, Jul 13, 2019 at 12:22:00PM +0200, Paul Chaignon wrote:
> This patchset introduces syscall filtering in the kernel using
> seccomp-bpf. The first patch exports the trace_set set required to build
> the BPF filtering program. The second patch implements the main logic to
> reduce the number of tracer stops. The third let's strace skip the
> seccomp-bpf setup when there aren't any syscalls to filter. The last
> patch adds tests.
>
> Seccomp filtering is only enabled with the -n option. The BPF program
> implements a simple linear match of syscalls which can be improved in the
> future without impacting user-observable behavior.
>
> I am sending this as an RFC for several reasons. First, I'd like to bring
> attention to several design decisions:
> - When using the -n option, the state (enabled/disabled) of seccomp
> filtering is printed at startup. Is that okay?
> - -n currently required -f. Should -n imply -f instead?
> Second, I would like to add more tests for the BPF program, but I am not
> quite sure how to proceed. In particular, I would like to add a test with
> a large (largest?) number of filtered syscalls.
One thing I forgot: if the long term goal is to have seccomp filtering
enabled by default, we may want to be careful with the -n option. We will
likely want an option to disable seccomp filtering when that time comes.
Changing the behavior of -n to "disable seccomp filtering" is probably not
a good idea, so maybe -n should take a value {enable,disable}, with only
"enable" having an effect for now. Or we could add that value when
seccomp filtering becomes the default with -n remaining an alias for
"-n enable". What do you think?
Paul
More information about the Strace-devel
mailing list