我正在尝试使用 锁定容器systemd-nspawn
,以便仅有的允许我列入白名单的特定系统调用。每文档,默认情况下有一个相当宽松的过滤器,由数百个不同系统调用的大型白名单组成。有一个单位选项SystemCallFilter=
,声称允许您将特定呼叫列入黑名单或白名单。我尝试了一下,在那里放置了一个系统调用并期望完全失败:
[Exec]
...
# We use way more syscalls than this! This whitelist should fail, but it doesn't because it's not a real whitelist.
SystemCallFilter=open,write,close
...
相反,程序运行得很好。如果我明确禁止我知道正在使用的系统调用,我可能会失败:
[Exec]
...
# This actually fails, because open's been explicitly blacklisted.
SystemCallFilter=~open,~write
...
另外,由于黑名单优先于“白名单”,因此我不能禁用所有内容,然后仅打开我需要的内容;白名单被忽略:
[Exec]
...
# Doesn't work, as ~@default takes precedence over the allowlist so *nothing* is allowed
SystemCallFilter=~@default
# full list is much longer and generated automatically from a docker seccomp .json
SystemCallFilter=open,write,close,...
有没有办法实现我想要的功能?我真的不想维护默认白名单上所有数百个系统调用的黑名单,这似乎是目前唯一的方法。
答案1
首先确保启用了 seccomp .. 根据 systemd-exec ,始终允许某些调用.. 允许执行、写入、打开、读取和许多其他调用.. SystemCallFilter= 有效,让您的生活轻松添加SystemCallLog=~chown
或任何未知使用的系统调用和所有使用的系统调用都将被记录。在journalctl _AUDIT_TYPE_NAME=SECCOMP
..中搜索它们
您的答案详细信息可以在这里找到。
--system-call-filter=
Alter the system call filter applied to containers. Takes a space-separated list of system call names or group names (the latter prefixed with "@", as listed by the syscall-filter command of systemd-analyze(1)). Passed system calls will be permitted. The list may optionally be prefixed by "~", in which case all listed system calls are prohibited. If this command line option is used multiple times the configured lists are combined. If both a positive and a negative list (that is one system call list without and one with the "~" prefix) are configured, the negative list takes precedence over the positive list. Note that systemd-nspawn always implements a system call allow list (as opposed to a deny list!), and this command line option hence adds or removes entries from the default allow list, depending on the "~" prefix. Note that the applied system call filter is also altered implicitly if additional capabilities are passed using the --capabilities=.`enter code here
https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html