39
edits
Security/Sandbox/Seccomp: Difference between revisions
Jump to navigation
Jump to search
m
→Complex filters
| Line 59: | Line 59: | ||
In this example, you could have a filter that validates that the syscall is for the correct architecture (rather than trying to invoke an OS-emulation feature or 32/64-bit translation, where the syscall numbers could have different meanings), then check the syscall number against each entry on a whitelist and allow the call if it matches, and finally kill the process if it didn't match any whitelist entry. | In this example, you could have a filter that validates that the syscall is for the correct architecture (rather than trying to invoke an OS-emulation feature or 32/64-bit translation, where the syscall numbers could have different meanings), then check the syscall number against each entry on a whitelist and allow the call if it matches, and finally kill the process if it didn't match any whitelist entry. | ||
=== | === Advanced use cases === | ||
The BPF language doesn't allow loops (branches can only skip instructions, not jump back), but more complex computations than a simple whitelist check are possible. For example, the Chromium codebase contains modules that translate a more abstract representation of filter predicates (ErrorCode) into a basic block graph and then into a linear sequence of BPF instructions (CodeGen); this includes constructing a binary search tree to dispatch on the system call number in O(log n) time. | The BPF language doesn't allow loops (branches can only skip instructions, not jump back), but more complex computations than a simple whitelist check are possible. For example, the Chromium codebase contains modules that translate a more abstract representation of filter predicates (ErrorCode) into a basic block graph and then into a linear sequence of BPF instructions (CodeGen); this includes constructing a binary search tree to dispatch on the system call number in O(log n) time. | ||