Skip to content

Commit

Permalink
Remove seccomp
Browse files Browse the repository at this point in the history
This patch completely removes seccomp from the Linux sandbox.

Currently the only usage of seccomp was to block system calls for
network filtering. However since user namespaces already isolate
networking, seccomp isn't necessary anymore.

Seccomp could be useful in the future to limit some system calls that
could cause undesired system changes, but these types of system calls
usually require elevated permissions already.
  • Loading branch information
cd-work committed Sep 28, 2023
1 parent bbe90cb commit 723ae65
Show file tree
Hide file tree
Showing 7 changed files with 1 addition and 669 deletions.
11 changes: 0 additions & 11 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -44,23 +44,12 @@ name = "net"
path = "tests/net.rs"
harness = false

[[test]]
name = "net_without_seccomp"
path = "tests/net_without_seccomp.rs"
harness = false

[[test]]
name = "net_without_namespaces"
path = "tests/net_without_namespaces.rs"
harness = false

[[test]]
name = "consistent_id_mappings"
path = "tests/consistent_id_mappings.rs"
harness = false

[target.'cfg(target_os = "linux")'.dependencies]
seccompiler = "0.2.0"
libc = "0.2.132"

[dev-dependencies]
Expand Down
3 changes: 1 addition & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,7 @@ use the example.
## Supported Platforms
- Linux via [namespaces] and [seccomp]
- Linux via [namespaces]
- macOS via `sandbox_init()` (aka Seatbelt)
[namespaces]: https://man7.org/linux/man-pages/man7/namespaces.7.html
[seccomp]: https://man7.org/linux/man-pages/man2/seccomp.2.html
23 changes: 0 additions & 23 deletions src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,12 @@ use std::fmt::{self, Display, Formatter};
use std::io::Error as IoError;
use std::result::Result as StdResult;

#[cfg(target_os = "linux")]
use seccompiler::{BackendError, Error as SeccompError};

/// Birdcage result type.
pub type Result<T> = StdResult<T, Error>;

/// Sandboxing error.
#[derive(Debug)]
pub enum Error {
/// Seccomp errors.
#[cfg(target_os = "linux")]
Seccomp(SeccompError),

/// Invalid sandbox exception path.
#[cfg(target_os = "macos")]
InvalidPath(InvalidPathError),
Expand All @@ -36,8 +29,6 @@ impl StdError for Error {}
impl Display for Error {
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
match self {
#[cfg(target_os = "linux")]
Self::Seccomp(error) => write!(f, "seccomp error: {error}"),
#[cfg(target_os = "macos")]
Self::InvalidPath(error) => write!(f, "invalid path: {error:?}"),
Self::Io(error) => write!(f, "input/output error: {error}"),
Expand All @@ -48,20 +39,6 @@ impl Display for Error {
}
}

#[cfg(target_os = "linux")]
impl From<SeccompError> for Error {
fn from(error: SeccompError) -> Self {
Self::Seccomp(error)
}
}

#[cfg(target_os = "linux")]
impl From<BackendError> for Error {
fn from(error: BackendError) -> Self {
Self::Seccomp(SeccompError::Backend(error))
}
}

#[cfg(target_os = "macos")]
impl From<InvalidPathError> for Error {
fn from(error: InvalidPathError) -> Self {
Expand Down
7 changes: 0 additions & 7 deletions src/linux/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,9 @@ use std::path::PathBuf;

use crate::error::Result;
use crate::linux::namespaces::MountFlags;
use crate::linux::seccomp::NetworkFilter;
use crate::{Exception, Sandbox};

mod namespaces;
mod seccomp;

/// Linux sandboxing.
#[derive(Default)]
Expand Down Expand Up @@ -70,11 +68,6 @@ impl Sandbox for LinuxSandbox {
// Setup namespaces.
namespaces::create_namespaces(self.allow_networking, self.bind_mounts)?;

// Setup seccomp network filter.
if !self.allow_networking {
let _ = NetworkFilter::apply();
}

// Block suid/sgid.
//
// This is also blocked by our bind mount's MS_NOSUID flag, so we're just
Expand Down
Loading

0 comments on commit 723ae65

Please sign in to comment.