Easy seccomp

[user4329]

Hi,

It would be great if it was easy to use seccomp, rather than having to manually create seccomp-bpf filters. It could be managed similar to capabilities e.g. —seccomp-drop chroot() and —seccomp-add kexec().

People like myself don’t know how to manually create seccomp-bpf filters so this would be a good option for them.

[smcv]

Prior art: systemd's SystemCallFilter and related options, documented in systemd.exec(5). This is mostly done in terms of topic-based groups of syscalls like @default and @file-system, because the raw system calls themselves are unpleasantly subtle to use as an API (for example in recent glibc, fopen() actually calls the openat syscall, not open like you might expect).

bubblewrap is a security-sensitive component (on some OSs, like Debian and RHEL, it needs to be setuid root), so it is desirable to minimize the amount of code in bubblewrap. For instance, this is why it has its own simplistic command-line parsing (which only supports --foo bar and not --foo=bar) instead of using getopt().

A higher-level API for the syscalls that are allowed and forbidden would probably be better done in a higher-level, more-user-friendly wrapper around bubblewrap, such as flatpak run.

[user4329]

Thanks! I didn’t know that. Now it doesn’t sound like such a good idea.