Comments (6)
Hm, I guess seccomp isn't what you're looking for, because IMHO it is too restrictive in our case (as it only allows read, write, sigreturn and exit syscalls). If you really want to use seccomp for that to avoid chrooting, we might need to create a preload wrapper which passes every open, fork, exec, whatnot to some special master daemon which executes that action and hands down the FD over unix sockets. And this in turn leads to way more complexity around a feature which is not meant to be used like that.
A better way would be to make use of an LSM to properly avoid running as root. Unfortunately the availability of the LSM varies depending on the distribution/kernel configuration.
from nix.
You're talking about the old seccomp. The new seccomp filtering feature in Linux 3.5 should allow (almost) arbitrary syscall filtering using BPF. See http://kernelnewbies.org/Linux_3.5/#head-c48d6a7a26b6aae95139358285eee012d6212b9e.
from nix.
Hm, my impression was that it does not allow syscalls beyond the scope of the currently active capabilities (like chroot)?
Going to have a look at that this weekend if noone else did in the meantime...
from nix.
It doesn't, but it should allow restricting a root process, e.g. disallowing file system access outside of /nix or setuid to non-nixbld users.
from nix.
Okay, as I'm already implementing seccomp BPF for steam (see aszlig/nixpkgs@49d6a8b, I'm assigning this issue to me, as I'm on my way in making this generic.
Correction: I would have assigned this to me :-)
from nix.
Closing this, we're already using seccomp.
from nix.
Related Issues (20)
- nixbld user group doesn't exist HOT 4
- `--keep-failed` docs aren't quite adequate
- Add helper function to check if a value has been initialized
- Regression: symbolic links in the build sandbox become regular files unexpectedly HOT 2
- A closure query that builds all fixed output derivations HOT 1
- Document `fetchurl` attribute arguments
- C API: Mark as stable
- Nix >=2.19.0 has a regression on fetchGit submodules recursive clone
- Rename `SearchPath` HOT 4
- Implement `setStackSize` on Windows HOT 1
- Use portable C++ Pseudorandom number generator HOT 7
- Abstract over `getrusage` HOT 1
- Implement `updateWindowSize` on windows HOT 1
- Implement process spawning on Windows HOT 3
- Implement `PathLocks` on windows HOT 1
- Run unit tests in Wine in CI HOT 3
- Error installing nix in MacOS chip M1 after accidentally installed the linux version HOT 1
- Rename `PosixSourceAccessor` to `NativeSourceAccessor` HOT 2
- Enable the local store on Windows
- First CTRL-C as graceful stop
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nix.