Syscall Filter Generation This header includes the filter() command for generating a SECCOMP-BPF filter to restrict syscall within the sandbox. Moving to C/C++ allows us to use the libseccomp library directory, which is already installed on any systemd system, allowing us to avoid a dependency where the python bindings are packaged separately. Implementation wise, the groups have been removed, as have numerical syscall numbers. Groups were a bad idea from the start; any system that combines syscalls will introduce more attack surface, especially for a grouping to be broad enough that a filter can be made by hand–the original goal. This also means that offering syscalls on the command line are not supported. Secondly, while portability of the application folders isn't a must, numerical syscalls make the files nebulous and system-specific. More...
Functions | |
| std::string | filter (const std::string &application) |
| Generate a syscall filter. | |
| void | update_policy (const std::string &application, const shared::vector &straced) |
| Append an existing policy with newly discovered syscalls. | |
Detailed Description
Syscall Filter Generation This header includes the filter() command for generating a SECCOMP-BPF filter to restrict syscall within the sandbox. Moving to C/C++ allows us to use the libseccomp library directory, which is already installed on any systemd system, allowing us to avoid a dependency where the python bindings are packaged separately. Implementation wise, the groups have been removed, as have numerical syscall numbers. Groups were a bad idea from the start; any system that combines syscalls will introduce more attack surface, especially for a grouping to be broad enough that a filter can be made by hand–the original goal. This also means that offering syscalls on the command line are not supported. Secondly, while portability of the application folders isn't a must, numerical syscalls make the files nebulous and system-specific.
Function Documentation
◆ filter()
| std::string syscalls::filter | ( | const std::string & | application | ) |
Generate a syscall filter.
- Parameters
-
application The application.
- Returns
- The path to the BPF Filter.
Here is the call graph for this function: Here is the caller graph for this function:◆ update_policy()
| void syscalls::update_policy | ( | const std::string & | application, |
| const shared::vector & | straced ) |
Append an existing policy with newly discovered syscalls.
- Parameters
-
application The name of the application, to locate the syscalls.txt strace The output of an straced-run.
- Note
- This function subsumes sb-seccomp in a far better way. Rather than parsing the Audit logs (Requiring root permission), we just call –seccomp=strace which will run the program with strace, capture STDERR (The channel strace logs to), and then parse that output to update the file.
Here is the call graph for this function:Generated by
1.13.2