-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: tool to precompile filters #342
Comments
I've been thinking about this for a while now, it just hasn't percolated up the priority ladder: I'm not sure we want to go quite as far as what you've described, e.g. design a new DSL, as I believe that is a bit beyond the scope of the core libseccomp library. However, I do think it would be reasonable to add support for exporting a libseccomp filter into a C header file that would contain the BPF as well as the necessary NNP and other calls to load/instantiate the filter at runtime. Applications which wanted to make use of this could simply transfer their existing libseccomp calls into a separate tool which is built/executed at build time and the resulting header file included in the main application. If we eventually decide that we do want to go the full blown language route we can do that later, the header file generation would be a first step regardless. |
Also, do we want to consolidate this issue with #15? |
I certainly understand the concern about scope creep. I'm happy to take it one step at a time. I'll start with the C header generation in #15. I did a quick search before but didn't find that one, so thanks for the link. up to you whether you want to close this issue now, or leave it open for a bit in case anyone shows up with their thoughts. not that reopening is hard to do. |
This issue has arisen a few times within Oracle as well. Most recently a team that frequently creates/deletes containers expressed interest in the ability to build a filter once up front rather than each time a container is created. They experimented with exporting BPF and trying to pass that around, but it felt fragile. I'm open to a variety of solutions, but perhaps starting small(er) would be best. |
one downside to libseccomp is that you have to link it into every project that wants to use it, and then generate the bpf program on the fly before it can be loaded. this is useful in some scenarios (where the filter needs are dynamic), but a common situation (in my experience in Chrome OS) is that the filter is always the same on every run. it would be nice if we could compile the filter at build time and have the runtime just load the program into the kernel and not have any libseccomp dependency at runtime at all.
i've actually built a limited proof of concept in Gentoo's pax-utils. i'll link to them here, but it's more as an FYI rather than an immediate discussion point, so please don't look too hard at them.
now i'm wondering if we can generalize this in libseccomp itself. while eBPF has the luxury of an LLVM backend, plain BPF does not. so i think we'd have to:
prctl()
to load itWDYT ? is this something we can do as part of libseccomp ?
The text was updated successfully, but these errors were encountered: