Allow for seccomp blacklist rather than whitelisting
Bug #1615773 reported by
Stéphane Graber
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
LXD, LXC and quite probably Docker would benefit from the ability to define a syscall blacklist rather than a whitelist.
This would be to block known harmful syscalls but still allow EVERYTHING else, including syscalls which are not yet known to snappy or seccomp.
This would be done as a blacklist BPF filter and NOT as a whitelist of all other syscalls, which wouldn't work as it would only ever cover things that were known at the time seccomp or snappy were built and so would block anything newer.
tags: | added: lxd |
Changed in snappy: | |
status: | New → Triaged |
affects: | snappy → snapd |
To post a comment you must log in.
I think this is doable with a few tweaks to snap-confine and snapd. Please ack the design with jdstrand and niemayer and I can implement this.