18–20 Sept 2024
Europe/Vienna timezone

seccomp filtering for struct pointers

19 Sept 2024, 16:10
20m
"Room 1.15 - 1.16" (Austria Center)

"Room 1.15 - 1.16"

Austria Center

106
Containers and checkpoint/restore MC Containers and checkpoint/restore MC

Speaker

Aleksa Sarai (SUSE LLC)

Description

With the introduction of extensible-struct syscalls such as openat2 and clone3, the inability to usefully filter syscalls with pointer arguments makes it harder for various programs to make use of newer kernel features because of both default container and self-hardening seccomp profiles. The inability for systemd and other system utilities to use RESOLVE_IN_ROOT and related openat2 features is a particular issue.

This talk will describe a proposal for an extension to seccomp to allow for the filtering of extensible-struct syscalls on an opt-in basis, as well as some of the potential issues with creating forward-compatible filters due to the restrictions of cBPF and some possible solutions.

Primary author

Aleksa Sarai (SUSE LLC)

Presentation materials