Skip to content

Commit

Permalink
Switch seccomp filter to whitelist (#37)
Browse files Browse the repository at this point in the history
Previously the seccomp filter would use a whitelist, denying access only
to system calls known to perform network operations. This has the big
disadvantage that every new system call would be allowed by default.

To prevent accidentally opening up the sandbox due to not tracking the
Kernel appropriately, the filter has been switched to a whitelist
instead. This means only system calls which are explicitly present in
the list are allowed.

When the network sandbox is disabled, all system calls are allowed
regardless of our whitelist. This means that even new unknown system
calls will be allowed without having to update Birdcage to track them.

Closes #33.
  • Loading branch information
cd-work authored Aug 30, 2023
1 parent 2a8dfbf commit dbfd7b9
Show file tree
Hide file tree
Showing 2 changed files with 419 additions and 37 deletions.
6 changes: 2 additions & 4 deletions src/linux/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use landlock::{
};

use crate::error::{Error, Result};
use crate::linux::seccomp::Filter;
use crate::linux::seccomp::NetworkFilter;
use crate::{Exception, Sandbox};

mod seccomp;
Expand Down Expand Up @@ -70,11 +70,9 @@ impl Sandbox for LinuxSandbox {
}

// Create and apply seccomp filter.
let mut seccomp = Filter::new();
if !self.allow_networking {
seccomp.deny_networking()?;
NetworkFilter::apply()?;
}
seccomp.apply()?;

// Apply landlock rules.
let status = self.landlock.restrict_self()?;
Expand Down
Loading

0 comments on commit dbfd7b9

Please sign in to comment.