Whitelisting and blacklisting

[idk-r-n]

I don't understand how a whitelist and blacklist can work in the same filter. My goal is to only allow the syscalls that are whitelisted. Is that supported by your project?

[valoq]

You can build a whitelist for syscalls with the code in this repository instead of using a blacklist.

Simply edit this line https://github.com/valoq/bwscripts/blob/edc5fb0f987ee00224c2bce1b9c5fdfb45660061/exportFilter.c#L51 and replace it with ctx = seccomp_init(SCMP_ACT_KILL_PROCESS); to define the default action for syscalls. Then you can define all allowed syscalls with the ALLOW_RULE(call) makro.

How useful this filter is going to be depends a lot on the target application, but if you have the choice I would recommend implementing a syscall filter inside the application code itself since that will allow you much stricter rules.

An example can be found here or see the libseccomp documentation.

[idk-r-n]

Thanks for that. Bubblewrap is kind of my only option here even though it would be better to modify the application since it would allow me to use different filters for different processes

[idk-r-n]

@valoq does that mean I can safely ignore that blacklist selection or delete it entirely?

[idk-r-n]

You can build a whitelist for syscalls with the code in this repository instead of using a blacklist.

Simply edit this line

https://github.com/valoq/bwscripts/blob/edc5fb0f987ee00224c2bce1b9c5fdfb45660061/exportFilter.c#L51

and replace it with ctx = seccomp_init(SCMP_ACT_KILL_PROCESS); to define the default action for syscalls.

Your code had the same line already in it, commented out, but if says (SCMP_ACT_KILL) instead. Which should I use?

[valoq]

@valoq does that mean I can safely ignore that blacklist selection or delete it entirely?

Yes

Your code had the same line already in it, commented out, but if says (SCMP_ACT_KILL) instead. Which should I use?

SCMP_ACT_KILL_PROCESS kills the entire process and not just the thread.

You can find all the details in the man page: https://man7.org/linux/man-pages/man3/seccomp_init.3.html

[idk-r-n]

SCMP_ACT_KILL_PROCESS kills the entire process and not just the thread.

So it's just a choice of if I want the whole application to be killed and not just the sub process?

[valoq]

SCMP_ACT_KILL_PROCESS kills the entire process and not just the thread.

So it's just a choice of if I want the whole application to be killed and not just the sub process?

Yes, it depends on your use case but for most applications I found SCMP_ACT_KILL_PROCESS to be the clean option

[idk-r-n]

I added chmod to the default filter and compiled it, but I can still chmod. Any idea why bwrap --seccomp 0 0< filter.bpf --ro-bind / / --bind $HOME $HOME chmod u+x file changes the file permissions?

[valoq]

I added chmod to the default filter and compiled it, but I can still chmod. Any idea why bwrap --seccomp 0 0< filter.bpf --ro-bind / / --bind $HOME $HOME chmod u+x file changes the file permissions?

/usr/bin/chmod does not use the "chmod" syscall but instead the alternative fchmodat syscall. Many syscalls have several versions to do almost the same things and its one of the reasons why whitelists work a lot more reliably.

[idk-r-n]

I added chmod to the default filter and compiled it, but I can still chmod. Any idea why bwrap --seccomp 0 0< filter.bpf --ro-bind / / --bind $HOME $HOME chmod u+x file changes the file permissions?

/usr/bin/chmod does not use the "chmod" syscall but instead the alternative fchmodat syscall. Many syscalls have several versions to do almost the same things and its one of the reasons why whitelists work a lot more reliably.

I feel sick now

[idk-r-n]

@valoq thanks for all your help. I've got most things working as expected