I try to setup a very restrictive seccomp whitelist for a busybox based LXC container. I started with the file /usr/share/doc/lxc/examples/seccomp-v1.conf from Ubuntu. It seems to contain most useful syscalls, but doesn't seem to be further documented.
I started my containers using this file and almost everything worked, only nginx didn't start. Using strace I discovered that two syscalls were missing (something with *pid*/*gid*). ausyscall helped me translating the names to numbers. After that, nginx started.
Now, I want to reduce the file to what is really necessary. For this, I wrote a script which loops through the file, removes one line temporarily and tests if all features still work in the container. At the end, it is able to create a new (more restrictive) whitelist.
As this process is very time consuming, it was running every night last week with several iterations. Currently I got stuck because lxc-attach fails providing an interactive console. I try to find a faster way for debugging, best would be if syslog or Lxc logs all seccomp violations.
I tried to set audit=1 on the kernel command line, but only once I saw seccomp-related audit messages in syslog. Lxc in contrast only shows "Container violated seccomp" which doesn't help me finding which syscall is the problem. Update: If auditd is installed, the logs are written to /var/log/audit/audit.log and the kernel command line parameter is not checked anymore.
Q: Is there a more efficient way for generating a useful seccomp whitelist? And are there recommendations what to block beside the lxc-default kexec_load, open_by_handle_at, init_module, finit_module and delete_module? Is there a list of dangerous syscalls?
Best Answer
In the meantime, I discovered that the seccomp audit log now go to
/var/log/audit/audit.loginstead of syslog, after I installedauditdwhich for getting the ausyscall tool. Without the tool, the logs don't go anywhere.The file contains lines like
Which clearly say which process and which syscall violated the rules - this helps me much.
But I leave this quesion open. There are still unanswered questions and I'm still looking for a more efficient way to set up such a whitelist file than by try&error.