Conversation

Notices

1. Embed this notice
   Jan Schaumann (jschauma@mstdn.social)'s status on Thursday, 06-Jun-2024 14:31:43 JST Jan Schaumann

   Very clever engineers:
   "We use seccomp to restrict the syscalls processes running in docker can make. Security first!"

   Also very clever engineers:
   *adds "seccomp(2)" and "prctl(2)" to list of allowed syscalls*

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 06-Jun-2024 14:40:52 JST Haelwenn /элвэн/ :triskell:

     in reply to

     @jschauma Shouldn't further seccomp(2) calls be more restrictive though?

     At least that's how I read this paragraph in seccomp(2):

     If prctl(2) or seccomp() is allowed by the attached filter,
     further filters may be added. This will increase evaluation
     time, but allows for further reduction of the attack surface
     during execution of a thread.

   • Embed this notice
     Jan Schaumann (jschauma@mstdn.social)'s status on Thursday, 06-Jun-2024 22:59:44 JST Jan Schaumann

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan That seems to be the intent, but it's not clear to me what happens if a "further filter" conflicts with the existing filter. I.e., original filter denies syscallX, but the new filter explicitly allows syscallX.

     Haelwenn /элвэн/ :triskell: likes this.