On Sat, 2024-10-26 at 16:36 +0900, Hajime Tazaki wrote:
>
> Originally our patchset had a whitelist-based seccomp filter (w/
> SCMP_ACT_ALLOW), but dropped from this RFC as I found that 1) this is
> not the !MMU specific feature (it can be generally applied to all UML
> use cases), and 2) we cannot prevent a syscall (e.g., ioctl(2)) from
> userspace which is white-listed in our seccomp filter, thus the newly
> introduced filter may not be perfect.
>
> the maintenance of the whitelist is also not easy; the syscall used in
> one version is renamed at some point in future (what I faced is
> SCMP_SYS(open) should be renamed with SCMP_SYS(openat)).
Sure, agree that would be awful. However, only kernel code should be
making real host syscalls, never userspace code, so you should be able
to filter simply based on address? Since it's NOMMU there's a single
process and a single address space, and userspace binaries always have
to be in certain places, I'd think?
This should be cheap since
(a) it's not doing anything with (guest) syscalls that were already
rewritten by zpoline (they don't exist as host syscalls)
(b) while the real host syscalls made by the kernel would still be
checked by the filter program, it'd just return "sure that's OK"
and not redirect anything
johannes
