December last year I announced I wanted to add seccomp filter support to upstart, and since that some things got in the way but here is my current code. These patches still have a RFC status as I expect some remarks anyway, and at the moment I don't have test-cases readily available. Nevertheless I'd like to know if I'm on the right track.
These patches a a new dependency on "gperf" which is used to create lookup tables for errno's and syscalls. Other than that there are no new dependencies. Part 2 and 3 add the seccomp-filter creation code itself, which is based on the same code as my guardian "seccomp wrapper" at https://gitorious.org/guardian/guardian As agreed earlier, the seccomp-filter syntax is defined as: seccomp filter : "seccomp-filter" WS [ '~' ] seccomp_rules; seccomp_rules : seccomp_rule ( WS seccomp_rule )*; seccomp_rule : systemcall ( ':' policy )?; policy : "allow" | "errno" ( '(' errno ')' )? | "kill" | "trace" | "trap" ( '(' errno ')' )? ; WS : ' '|'\t'|'\n'; The default policy is "allow explicitly listed syscalls as default policy, and use the kill policy for anything not explicitly listed". That is, unless the set of rules is preceded with "~" which reverts this policy, just like Systemd does. (deny explicitly listed syscalls as default policy, allow anything not explicitly listed") E.g.: seccomp-filter write ...for "echo hello world". or: seccomp-filter getrlimit:allow setrlimit:errno(EACCES) ...for a fictional program that is allowed to call getrlimit, but calls to setrlimit are simply ignored and errno is set to EACCES. or: seccomp-filter ~setuid socket ...to prevent the usage of setuid and socket Kind regards, David Gaarenstroom -- upstart-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/upstart-devel
