Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)

To: debian-devel@lists.debian.org
Subject: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 1 Dec 2017 01:29:44 +0000
Message-id: <[🔎] 20171201012944.pdml3xtkqivj4zaf@riva.ucam.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20171201003506.4nd7q2sjvamylu3n@riva.ucam.org>
References: <20171123140109.GA28885@lst.de> <20171123144310.gac6zwqysfzdsh3i@exolobe3> <20171128185445.GA5602@lst.de> <20171128230308.GB769@bongo.bofh.it> <18deb24e-d4b3-11e7-9b6a-00163eeb5320@msgid.mathom.us> <87609tg1d1.fsf@hope.eyrie.org> <20171129072514.GA31212@chew> <f959b121-7b92-5f18-f91e-d8c9a2581a9a@gmail.com> <87efogcztt.fsf_-_@hope.eyrie.org> <[🔎] 20171201003506.4nd7q2sjvamylu3n@riva.ucam.org>

On Fri, Dec 01, 2017 at 12:35:06AM +0000, Colin Watson wrote:
> (Hmm, though maybe a reasonable stopgap would be to copy the relevant
> syscall lists from systemd's code.  That would leave me updating things
> manually from time to time, which isn't great, but it would probably
> still be better than maintaining my own list!  I think I'll do this.)

That was indeed a worthwhile exercise.  I'm now down to five sets taken
verbatim from systemd, which are long but I can just update them
wholesale from time to time; three sets from systemd from which I've
extracted subsets, e.g. a read-only subset of file system operations;
and nine additional syscalls, some of which I still need to review and
possibly either restrict by arguments or drop.  Those are much more
tolerable numbers than a monolithic block of over a hundred syscalls.

The exercise caused me to notice several syscalls I'd missed, and some
that I'd included inappropriately.  It's still a lot of lines of code,
but should be much easier to maintain, and would probably also make it
easier to switch to a syscall-set-confining library if such a thing
exists in the future.

(Side note: this strategy works partly because man-db is under a licence
that the relevant file in systemd can be converted to using LGPL2.1
section 3.  If that weren't the case then it would at the very least be
much less obvious that this is a permissible thing to do.)

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Seth Arnold <seth.arnold@canonical.com>
- Re: seccomp jailing for applications
  - From: Russ Allbery <rra@debian.org>

References:
- Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Work-needing packages report for Dec 1, 2017
Next by Date: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Previous by thread: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Next by thread: Re: seccomp jailing for applications (was: recommends for apparmor in newest linux-image-4.13)
Index(es):
- Date
- Thread