On Wed, Feb 14, 2018 at 05:25:00PM +0000, Andy Lutomirski wrote: > On Tue, Feb 13, 2018 at 3:47 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon <sargun@xxxxxxxxx> wrote: > >> This patchset enables seccomp filters to be written in eBPF. Although, > >> this patchset doesn't introduce much of the functionality enabled by > >> eBPF, it lays the ground work for it. > >> > >> It also introduces the capability to dump eBPF filters via the PTRACE > >> API in order to make it so that CHECKPOINT_RESTORE will be satisifed. > >> In the attached samples, there's an example of this. One can then use > >> BPF_OBJ_GET_INFO_BY_FD in order to get the actual code of the program, > >> and use that at reload time. > >> > >> The primary reason for not adding maps support in this patchset is > >> to avoid introducing new complexities around PR_SET_NO_NEW_PRIVS. > >> If we have a map that the BPF program can read, it can potentially > >> "change" privileges after running. It seems like doing writes only > >> is safe, because it can be pure, and side effect free, and therefore > >> not negatively effect PR_SET_NO_NEW_PRIVS. Nonetheless, if we come > >> to an agreement, this can be in a follow-up patchset. > > > > What's the reason for adding eBPF support? seccomp shouldn't need it, > > and it only makes the code more complex. I'd rather stick with cBPF > > until we have an overwhelmingly good reason to use eBPF as a "native" > > seccomp filter language. > > > > I can think of two fairly strong use cases for eBPF's ability to call > functions: logging and Tycho's user notifier thing. Worth noting that there is one additional thing that I didn't implement, but which would be nice and is probably not possible with eBPF (at least, not without a bunch of additional infrastructure): passing fds back to the tracee from the manager if you intercept socket(), or accept() or something. This could again be accomplished via other means, though it would be a lot nicer to have a primitive for it. That said, I think it's more important that something like this gets in, vs. that it gets in with some approach like I've posted. So if we go with eBPF and some wait functions and acknowledge that you have to do some ptrace surgery, that is better than nothing. Tycho _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
