Improving Container Security with System Call Interception

Описание: Improving Container Security with System Call Interception - Stephane Graber, Canonical Ltd. & Christian Brauner, Microsoft

Seccomp system call interception (notify target) has been around since Linux 5.9 and allows for a seccomp policy to stop the execution of a system call, notify userspace about the call and finally return the response provided by the userspace process. It can be tricky to use properly due to potential time of check / time of use issues as well as the need to resolve pointers on some system calls. But when used properly, it allows for very selective interception of actions from a very restricted/unprivileged container by a more privileged monitoring process which can then selectively decide to re-run the call with elevated privileges. This allows for far more workloads to be run in unprivileged containers while retaining the ability to do some of their more privileged tasks. In this talk, we'll be going over the basics of how all of this works as well as the work we've done with system call interception in LXD. LXD currently uses the mechanism to allow some uses of a variety of system calls including "setxattr", "bpf", "mount" and "mknod". One highlight use case is how LXD can intercept some "mount" system calls and transparently replace them with an equivalent FUSE mount.