Move Seccomp support to use Libseccomp as backend #633
Conversation
|
This would be our preferred solution. |
|
@mheon You need to fix gofmt. |
|
I feel there are several advantages to the libseccomp approach versus the pure golang approach currently adopted by Docker, some of the highlights are listed below:
|
|
@mheon There are some vet warnings in your library. |
|
@LK4D4 One of them seems to be in protobuf :/ |
|
I wonder how it worked before. |
|
Looks like something with update-vendor script, because your PR also downgraded |
|
Looks like I must have messed it up when rebasing... I'll take a look. The error in the libseccomp bindings looks like a typo, so that should be easy to fix as well. |
|
@mheon We fixed some stuff in master. You can try rebase. |
|
@LK4D4 Rebased. The static analysis problem in the library bindings should still be there, waiting for a patch for that to make its way upstream. Hopefully will be fixed by end of day. |
|
Alright, build failures are resolved. |
|
libseccomp-2.2.0 and newer have arm64 support (2.2.1 is specified in this Dockerfile), so this PR should resolve the arm64 build breakage I reported in https://github.com/docker/libcontainer/issues/636. |
This PR introduces the ability to filter system calls on a per-container basis on Linux, using libseccomp to support multiple architectures. This adds another layer of security between containers and the kernel. System calls which are unnecessary in a container or problematic from a security perspective can be restricted to prevent their use. Most of the truly problematic syscalls are already restricted by dropping capabilities; this adds an additional, finer-grained layer of protection. This PR adds a vendored library dependency (Go bindings for libseccomp) and a build dependency on libseccomp >= v2.1. The actual changes to libcontainer are fairly minimal, most of the delta is in the libseccomp bindings. Docker-DCO-1.1-Signed-off-by: Dan Walsh <[email protected]> (github: rhatdan) Docker-DCO-1.1-Signed-off-by: Matt Heon <[email protected]> (github: mheon)
Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
This should also undo accidental gocapability downgrade Signed-off-by: Matthew Heon <[email protected]>
|
Rebased on latest master. |
|
@mheon Could you port your PR to opencontainers/runc pls? |
|
@LK4D4 Sure, I'll look into getting it ported. |
|
ported to runc |
In a brief summary of prior events: there were two competing Seccomp integrations, a native Golang implementation (PR #613) and one based on the libseccomp library (PR #384). The libseccomp PR had licensing issues preventing its merging, so the native Golang implementation was merged.
I believe that the licensing issues present in the old Libseccomp based implementation have been resolved, and that the library-based solution is a decidedly superior implementation to the current Golang version. Libseccomp is well-tested, well-supported, and high-performance, and removes the burden of supporting this code from Docker.
This PR removes the existing Seccomp implementation and replaces it with a Libseccomp based one. The API from the original Libseccomp PR has been substituted for the existing API, but the two are mostly compatible, and it should be possible to convert this to use the existing API if that is desired.