hngopher.com

       [HN Gopher] Io_uring and seccomp (2022)
       ___________________________________________________________________
        
       Io_uring and seccomp (2022)
        
       Author : pncnmnp
       Score  : 38 points
       Date   : 2024-10-09 14:42 UTC (2 days ago)
        
 (HTM) web link (blog.0x74696d.com)
 (TXT) w3m dump (blog.0x74696d.com)
        
       | leni536 wrote:
       | > But if you've got a separation of duties where a sysadmin sets
       | up seccomp filtering generically across applications
       | 
       | Is this even possible, regardless of io_uring?
        
         | amarshall wrote:
         | Well the article brings up containers as an example. If the
         | sysadmin controls "your" parent or root process (e.g. the login
         | shell), they can just perform seccomp filtering there and it
         | applies to everything within it (like any other sandbox).
        
       | deathanatos wrote:
       | This seems like an instance of an anti-pattern I've seen, which
       | is inflating "permission" and "API call" to the same thing.
       | 
       | IIRC, AWS does this, where permission is by API call. As an
       | example, you can have permission to call ssm:GetParameter _n_
       | times, but if you try to combine those _n_ API calls into a batch
       | with GetParameters, that 's a different IAM perm, _even though
       | exactly the same thing is occurring._
        
       | cpuguy83 wrote:
       | Both Docker and containerd have started to block io_uring in the
       | default profile for about a year now due to too many security
       | issues with it.
        
         | hinkley wrote:
         | Has anyone speculated yet about how much slower a secure
         | io_uring has to be? Is it still a net win once you lock it down
         | fully?
        
       | eqvinox wrote:
       | Using seccomp with a default-open filter is a terrible idea to
       | begin with; it wasn't really designed for any of this. Seccomp in
       | its most basic form didn't even have a filter list, it just
       | allowed read() and write(). (And close() or something, don't
       | quote me on the details, the point is it was a fixed list.)
       | You're supposed to use it with a default-closed filter and fully
       | enumerate what you need. (Yes, that's hard in a lot of cases, but
       | still.)
       | 
       | There have been other cases where syscalls got cloned, mostly to
       | add new parameters, but either way seccomp with an "open" filter
       | can only ever be defense-in-depth, not a critical line in itself.
       | 
       | (Don't misunderstand, defense-in-depth is good, and keep using
       | seccomp for it. But an open seccomp filter MUST be considered
       | bypassable.)
        
       ___________________________________________________________________
       (page generated 2024-10-11 23:00 UTC)