Hello,
On Sun, 27 Oct 2024 18:45:39 +0900, Johannes Berg wrote: > > On Sat, 2024-10-26 at 16:36 +0900, Hajime Tazaki wrote: > > > > Originally our patchset had a whitelist-based seccomp filter (w/ > > SCMP_ACT_ALLOW), but dropped from this RFC as I found that 1) this is > > not the !MMU specific feature (it can be generally applied to all UML > > use cases), and 2) we cannot prevent a syscall (e.g., ioctl(2)) from > > userspace which is white-listed in our seccomp filter, thus the newly > > introduced filter may not be perfect. > > > > the maintenance of the whitelist is also not easy; the syscall used in > > one version is renamed at some point in future (what I faced is > > SCMP_SYS(open) should be renamed with SCMP_SYS(openat)). > > Sure, agree that would be awful. However, only kernel code should be > making real host syscalls, never userspace code, so you should be able > to filter simply based on address? Since it's NOMMU there's a single > process and a single address space, and userspace binaries always have > to be in certain places, I'd think? Yes, the address which issued syscall instruction should be able to identify. > This should be cheap since > (a) it's not doing anything with (guest) syscalls that were already > rewritten by zpoline (they don't exist as host syscalls) > (b) while the real host syscalls made by the kernel would still be > checked by the filter program, it'd just return "sure that's OK" > and not redirect anything totally makes sense to me and the filter is nice to have. I'm going to investigate to implement it as a seccomp filter. thanks for the idea, -- Hajime
