Investigate Syscalls to Block with seccomp-bpf #106

MarkKoz · 2021-04-08T22:59:43Z

A long time ago I made a rough draft of a filter:

seccomp_string: "KILL {"
seccomp_string: "   execve,"
seccomp_string: "   execveat,"
seccomp_string: "   shmget,"
seccomp_string: "   shmat,"
seccomp_string: "   shmdt,"
seccomp_string: "   shmctl,"
seccomp_string: "   fork,"
seccomp_string: "   clone"
seccomp_string: "}"
seccomp_string: "DEFAULT ALLOW"

However, because nsjail applies the filter to the forked process before it changes from nsjail to Python, blocking some syscalls may interfere with the functionality of nsjail. The most important one is execve, which is what changes the fork from nsjail to Python, so it would have to be excluded from the above filter.

The rest of the syscalls above are merely redundancies given the current nsjail configuration. The shared memory syscalls are just there as insurance since the exploit was already fixed long ago by not mounting the stuff needed for it to work. fork and clone are redundant since the PID limit is 1 anyway.

Any other ideas for syscalls to filter are welcome.

The text was updated successfully, but these errors were encountered:

MarkKoz added type: feature New feature or request status: planning Discussing details area: nsjail Related to NsJail and its configuration priority: 2 - normal priority: 3 - low and removed priority: 2 - normal labels Apr 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate Syscalls to Block with seccomp-bpf #106

Investigate Syscalls to Block with seccomp-bpf #106

MarkKoz commented Apr 8, 2021

Investigate Syscalls to Block with seccomp-bpf #106

Investigate Syscalls to Block with seccomp-bpf #106

Comments

MarkKoz commented Apr 8, 2021