I try to setup a very restrictive seccomp whitelist for a busybox based LXC container. I started with the file /usr/share/doc/lxc/examples/seccomp-v1.conf
from Ubuntu. It seems to contain most useful syscalls, but doesn't seem to be further documented.
I started my containers using this file and almost everything worked, only nginx
didn't start. Using strace
I discovered that two syscalls were missing (something with *pid*
/*gid*
). ausyscall
helped me translating the names to numbers. After that, nginx
started.
Now, I want to reduce the file to what is really necessary. For this, I wrote a script which loops through the file, removes one line temporarily and tests if all features still work in the container. At the end, it is able to create a new (more restrictive) whitelist.
As this process is very time consuming, it was running every night last week with several iterations. Currently I got stuck because lxc-attach fails providing an interactive console
. I try to find a faster way for debugging, best would be if syslog or Lxc logs all seccomp violations.
I tried to set audit=1
on the kernel command line, but only once I saw seccomp-related audit messages in syslog. Lxc in contrast only shows "Container violated seccomp" which doesn't help me finding which syscall is the problem. Update: If auditd
is installed, the logs are written to /var/log/audit/audit.log
and the kernel command line parameter is not checked anymore.
Q: Is there a more efficient way for generating a useful seccomp whitelist? And are there recommendations what to block beside the lxc-default kexec_load
, open_by_handle_at
, init_module
, finit_module
and delete_module
? Is there a list of dangerous syscalls?
Best Answer
In the meantime, I discovered that the seccomp audit log now go to
/var/log/audit/audit.log
instead of syslog, after I installedauditd
which for getting the ausyscall tool. Without the tool, the logs don't go anywhere.The file contains lines like
Which clearly say which process and which syscall violated the rules - this helps me much.
But I leave this quesion open. There are still unanswered questions and I'm still looking for a more efficient way to set up such a whitelist file than by try&error.