Surface sentry seccomp violations #3905
Labels
area: security
Security related issues
area: usability
Issue related to usability
type: enhancement
New feature or request
If the sentry makes a syscall which is not allowed by its seccomp policy, it is immediately killed. This is required for the security model. Unfortunately, it is difficult to discover which syscall (or argument) triggered the violation. Surfacing this information would be useful for monitoring for potential compromise and bugs in production. The current solution for debugging locally involves uncommenting a line of code and recompiling, which could also be improved upon.
One solution would be using the new seccomp notifier mechanism:
https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html#userspace-notification
This could be used to notify a non-sandboxed process running alongside the sentry of the details of the violation. This information could then be relayed to some monitoring or logging system.
The text was updated successfully, but these errors were encountered: