I'm looking for an example of eBPF to write a seccomp filter, but I can't find none. Could someone tell me if is possible to use eBPF to write seccomp filter?
How to use seccomp filter with ebpf?
Seccomp does not work with eBPF at the moment (only cBPF).
There was a discussion not long ago on that topic on the Linux networking mailing list. The eBPF maintainer is against adding eBPF support to seccomp.
"the goal of opening up BPF to unprivileged users has been abandoned as unachievable, and that further work in that direction will not be accepted by the BPF maintainer" , still It's possible to attach an ebpf socket filter to an udp socket without priviliges. Does that statement mean that it won't be possible in the future? –
Scholem
Very unlikely, that would break user API. Linux community has a strong policy against breaking existing user applications. –
Sewing
lists.linuxfoundation.org/pipermail/containers/2018-February/… is this patch merged in some kernel? How can I check it? In my kernels source code I don't have the seccomp examples. –
Scholem
To search for it you could try to grep it from the git log (e.g.
git log --oneline | grep "eBPF Seccomp filters"). It's BPF so it would probably be added through bpf-next tree (but not 100% sure because it also touches security stuff). But in practice you can save yourself the trouble: I can tell you it has not been merged as of today. (Full thread here by the way). –
Sewing Kernel Runtime Security Instrumentation (KRSI) was designed for this. It's already been merged into the kernel.
Unfortunately KRSI requires root, but seccomp does not. –
Frosting
© 2022 - 2024 — McMap. All rights reserved.