System call interception for unprivileged containers
System call interception for unprivileged containers
Posted Jun 30, 2022 21:31 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)In reply to: System call interception for unprivileged containers by kleptog
Parent article: System-call interception for unprivileged containers
Somebody here mentioned an idea to generate the marshalling layer based on the CTF description. Might be a good idea to just bit the bullet and do this.
Moreover, we can even allowlist a few performance-crucial syscalls (like 'open') from marshalling. But all the thousands of ioctls can definitely be piped through that marshalling layer without any real impact.
Posted Jul 4, 2022 14:56 UTC (Mon)
by nix (subscriber, #2304)
[Link] (2 responses)
As for the marshalling layer itself, in the limit you can just do what FUSE does for unprivileged ioctls. Of course that involves repeated roundtrips so is not exactly efficient, but with a proper (CTF-driven?) description, you could marshal most things straight away with no roundtrips at all.
(The problem is TOCTTOU while the marshalling is going on. You can reduce the probability of that by rescanning everything after the first marshal and comparing it with what was marshalled, but if the attacker keeps changing the source that just turns the problem into a DoS attack.)
Posted Jul 4, 2022 16:32 UTC (Mon)
by gnb (subscriber, #5132)
[Link]
Posted Jul 4, 2022 20:26 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Then the kernel (and all the other layers) can just use the sanitized representation. Detecting attempted races can be a nice additional intrusion detection feature, but not a requirement.
System call interception for unprivileged containers
System call interception for unprivileged containers
System call interception for unprivileged containers