seccomp / libseccomp

The main libseccomp repository
GNU Lesser General Public License v2.1
808 stars 173 forks source link

RFE: tool to precompile filters #342

Open vapier opened 3 years ago

vapier commented 3 years ago

one downside to libseccomp is that you have to link it into every project that wants to use it, and then generate the bpf program on the fly before it can be loaded. this is useful in some scenarios (where the filter needs are dynamic), but a common situation (in my experience in Chrome OS) is that the filter is always the same on every run. it would be nice if we could compile the filter at build time and have the runtime just load the program into the kernel and not have any libseccomp dependency at runtime at all.

i've actually built a limited proof of concept in Gentoo's pax-utils. i'll link to them here, but it's more as an FYI rather than an immediate discussion point, so please don't look too hard at them.

now i'm wondering if we can generalize this in libseccomp itself. while eBPF has the luxury of an LLVM backend, plain BPF does not. so i think we'd have to:

WDYT ? is this something we can do as part of libseccomp ?

pcmoore commented 3 years ago

I've been thinking about this for a while now, it just hasn't percolated up the priority ladder:

I'm not sure we want to go quite as far as what you've described, e.g. design a new DSL, as I believe that is a bit beyond the scope of the core libseccomp library. However, I do think it would be reasonable to add support for exporting a libseccomp filter into a C header file that would contain the BPF as well as the necessary NNP and other calls to load/instantiate the filter at runtime.

Applications which wanted to make use of this could simply transfer their existing libseccomp calls into a separate tool which is built/executed at build time and the resulting header file included in the main application.

If we eventually decide that we do want to go the full blown language route we can do that later, the header file generation would be a first step regardless.

pcmoore commented 3 years ago

Also, do we want to consolidate this issue with #15?

vapier commented 3 years ago

I certainly understand the concern about scope creep. I'm happy to take it one step at a time.

I'll start with the C header generation in #15. I did a quick search before but didn't find that one, so thanks for the link.

up to you whether you want to close this issue now, or leave it open for a bit in case anyone shows up with their thoughts. not that reopening is hard to do.

drakenclimber commented 3 years ago

This issue has arisen a few times within Oracle as well. Most recently a team that frequently creates/deletes containers expressed interest in the ability to build a filter once up front rather than each time a container is created. They experimented with exporting BPF and trying to pass that around, but it felt fragile.

I'm open to a variety of solutions, but perhaps starting small(er) would be best.