Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seccomp: Improve syscall allow-listing / deny-listing Process #1008

Closed
dhrgit opened this issue Mar 13, 2019 · 1 comment
Closed

Seccomp: Improve syscall allow-listing / deny-listing Process #1008

dhrgit opened this issue Mar 13, 2019 · 1 comment
Assignees
@raduiliescu @alindima
Labels
Priority: Medium Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled

Comments

@dhrgit
Copy link
Contributor

dhrgit commented Mar 13, 2019

Our current syscall whitelisting process doesn't guarantee that all legit syscalls make it past the seccomp filter. We need to devise a model that can guarantee any seccomp infringement is caught, at latest, during our testing phase.
@dhrgit dhrgit added Type: Bug Indicates an unexpected problem or unintended behavior Security: Hardening Priority: High Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled labels Mar 13, 2019
@raduweiss raduweiss changed the title Seccomp: syscall whitelisting process not exhaustive Seccomp: Improve syscall Whitelisting / Blacklisting Process Apr 22, 2019
@raduweiss raduweiss added Priority: Medium Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled and removed Priority: Medium Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled labels Apr 22, 2019
@dhrgit dhrgit self-assigned this May 13, 2019
This was referenced Jul 14, 2019
Closed
Closed
@raduweiss raduweiss assigned raduiliescu and unassigned dhrgit Sep 20, 2020
@AlexandruCihodaru AlexandruCihodaru changed the title Seccomp: Improve syscall Whitelisting / Blacklisting Process Seccomp: Improve syscall allow-listing / deny-listing Process Mar 31, 2021
@serban300 serban300 added Priority: Medium Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled and removed Priority: High Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled Type: Bug Indicates an unexpected problem or unintended behavior labels Apr 28, 2021
@alindima
Copy link
Contributor

This issue was aiming at using static analysis for devising the seccomp allowlist.
If we did this for the Firecracker binary, that statically links musl, we'll get a huge number of syscalls, some of them being unreachable from normally-functioning Firecracker, essentially making seccomp filters useless.

Also, simulating every type of customer workload in the CI is not feasible.

Closing this issue for the above reasons.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@raduiliescu raduiliescu

@alindima alindima

Labels
Priority: Medium Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@raduiliescu @alindima @serban300 @raduweiss @dhrgit