Surface sentry seccomp violations #3905
Comments
ianlewis
added
area: security
|
One way I thought of to surface this info is to extend It would be even better if we could surface events all the way back up to Kubernetes and surface info in the Kubernetes API. |
|
Seccomp violations are logged to the audit log and it contains information about which syscall hit it: |
|
It doesn't look like it lists the arguments which are important when doing argument-based filtering. It also doesn't appear to indicate which sandbox the specific violation is associated with. |
|
Yeah, not ideal but you could probably identify the sandbox from the pid |
If the sentry makes a syscall which is not allowed by its seccomp policy, it is immediately killed. This is required for the security model. Unfortunately, it is difficult to discover which syscall (or argument) triggered the violation. Surfacing this information would be useful for monitoring for potential compromise and bugs in production. The current solution for debugging locally involves uncommenting a line of code and recompiling, which could also be improved upon.
One solution would be using the new seccomp notifier mechanism:
https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html#userspace-notification
This could be used to notify a non-sandboxed process running alongside the sentry of the details of the violation. This information could then be relayed to some monitoring or logging system.
The text was updated successfully, but these errors were encountered: