I'm looking for an example of eBPF to write a seccomp filter, but I can't find none. Could someone tell me if is possible to use eBPF to write seccomp filter?
Asked
Active
Viewed 1,389 times
2 Answers
6
Seccomp does not work with eBPF at the moment (only cBPF).
There was a discussion not long ago on that topic on the Linux networking mailing list. The eBPF maintainer is against adding eBPF support to seccomp.
-
"the goal of opening up BPF to unprivileged users has been abandoned as unachievable, and that further work in that direction will not be accepted by the BPF maintainer" , still It's possible to attach an ebpf socket filter to an udp socket without priviliges. Does that statement mean that it won't be possible in the future? – Maicake Aug 30 '19 at 07:16
-
1Very unlikely, that would break user API. Linux community has a strong policy against breaking existing user applications. – Qeole Aug 30 '19 at 08:33
-
https://lists.linuxfoundation.org/pipermail/containers/2018-February/038476.html is this patch merged in some kernel? How can I check it? In my kernels source code I don't have the seccomp examples. – Maicake Sep 09 '19 at 15:40
-
1To search for it you could try to grep it from the git log (e.g. `git log --oneline | grep "eBPF Seccomp filters"`). It's BPF so it would probably be added through bpf-next tree (but not 100% sure because it also touches security stuff). But in practice you can save yourself the trouble: I can tell you it has not been merged as of today. (Full thread [here](https://lore.kernel.org/netdev/20180226072651.GA27045@ircssh-2.c.rugged-nimbus-611.internal/) by the way). – Qeole Sep 09 '19 at 20:51
2
Kernel Runtime Security Instrumentation (KRSI) was designed for this. It's already been merged into the kernel.
Natan Yellin
- 6,063
- 5
- 38
- 57