Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

docs: document seccomp usage #3033

Merged
merged 2 commits into from
Aug 16, 2016
Merged

docs: document seccomp usage #3033

merged 2 commits into from
Aug 16, 2016

Conversation

@lucab
Copy link
Member

@lucab lucab commented Aug 5, 2016

This commit introduces a walk-through guide for seccomp usage.
It is targeted to users, introducing them to Linux seccomp in
general, documenting the differences between the two available
isolators, and how to use them when building images, patching
images and running them.

@lucab
Copy link
Member Author

lucab commented Aug 5, 2016
edited
Loading

/cc @alban for an overall pass on it.

This closely follows the capabilities guide. The umount usecase may not be too interesting, but it's the best one I found which is reproducible just with busybox and a small set of syscalls to whitelist/blacklist.

@lucab lucab added this to the v1.13.0 milestone Aug 5, 2016
alban
alban reviewed Aug 5, 2016
View reviewed changes
Documentation/seccomp-guide.md
The default set is tailored to stop applications from performing a large
variety of privileged actions, while not impacting their normal behavior.
Operations which are typically not needed in containers and which may
impact host state, eg. invoking `umount(2)`, are denied in this way.
Copy link
Member

@alban alban Aug 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does umount() impact the host?

mount() might be a better example.

Copy link
Member Author

@lucab lucab Aug 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By unmounting all the inaccessible procfs/sysfs. But yes, also mount()ing would fit here. Do you have any specific case you would like to see here?

Copy link
Member

@alban alban Aug 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah right. I didn't have a specific case. But instead of using /dev/console as an example, it could use something more dangerous. Maybe /proc/bus?

Copy link
Member Author

@lucab lucab Aug 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deal.

@jonboulle
Copy link
Contributor

jonboulle commented Aug 5, 2016

This is excellent!

lucab
lucab reviewed Aug 5, 2016
View reviewed changes
Documentation/seccomp-guide.md Outdated
```

Once run, it can be easily verified that both `ping` and `umount` from inside
the container are now functional. These operations also requires additional
Copy link
Member Author

@lucab lucab Aug 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/requires/require/

@lucab
docs: document seccomp usage
bfe063e 
This commit introduces a walk-through guide for seccomp usage.
It is targeted to users, introducing them to Linux seccomp in
general, documenting the differences between the two available
isolators, and how to use them when building images, patching
images and running them.
@lucab lucab force-pushed the to-upstream/seccomp-guide branch from 15d4e91 to bfe063e Compare August 5, 2016 16:11
@lucab
Copy link
Member Author

lucab commented Aug 5, 2016

Thanks @alban @jonboulle @iaguis for your great feeback!

Now handing over the baton to @joshix @Phillels @ryanj for a final proof-reading.

euank
euank reviewed Aug 5, 2016
View reviewed changes
Documentation/seccomp-guide.md
returning a specific error code ("errno") to the application instead of
terminating it.

For both isolators, this can be customized by specifying an additional `errno`
Copy link
Member

@euank euank Aug 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An example of how to specify the errno parameter would be helpful.

Copy link
Member Author

@lucab lucab Aug 15, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right! I've slightly adapted the existing examples to also show errno in 1bdf84d without adding too much detour, is it clear enough?

@lucab
docs/seccomp: show errno usage in examples
1bdf84d 
`errno` parameter was only mentioned but never shown in practice.
This adds some usages into existing examples.
@lucab
Copy link
Member Author

lucab commented Aug 15, 2016

@joshix ping. Do you want to have a pass on this or may I go on and perhaps revisit this later?

@jonboulle
Copy link
Contributor

jonboulle commented Aug 15, 2016

@lucab since we've already had two cases of people in the wild asking about seccomp documentation, let's land now and we can follow up with any of @joshix 's comments

@lucab
Copy link
Member Author

lucab commented Aug 15, 2016

@jonboulle ack. Just giving a chance to @euank to have a look at the errno part he asked for, and then I'll take care of landing it for this release cycle.

@euank
Copy link
Member

euank commented Aug 15, 2016

Thanks, exactly the sorta example I wanted. LGTM

@lucab lucab merged commit 3deaa7c into rkt:master Aug 16, 2016
@lucab lucab unassigned joshix Apr 5, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

area/security kind/documentation reviewed/lgtm

Projects

None yet

Milestone

v1.13.0

Development

Successfully merging this pull request may close these issues.

6 participants

@lucab @jonboulle @euank @alban @iaguis @joshix