BUG: cannot add blacklist items to a whitelist

[justincormack]

For docker we ship a default seccomp profile that is a whitelist using libseccomp-golang see https://github.com/docker/docker/tree/master/profiles/seccomp

However it seems to be impossible to have a default action of ERRNO and then add an ERRNO rule to blacklist a particular pattern as we get a "requested action matches default action of filter" error message passed through from libseccomp.

We want to block some particular argument values of a particular syscall (see moby/moby#23893 ), so eg setsockopt(x, 0, 41, x) and setsockopt(x, 0, 96, x) and setsockopt(x, 41, 41, x) should be denied, while allowing any other values, but although this can easily be written with a socket filter directly, it does not seem to be possible to write with libseccomp.

I was wondering if perhaps it could accept rules with the same action as the default and construct the appropriate bpf.

This is also mentioned in this issue comment, although there is workaround in that case #27 (comment)

[pcmoore]

We don't want to allow rules with the same action as the default action (that doesn't make any sense), but we should take into account the errno value when making this decision. For example, we should allow a rule with ERRNO(y) when the default rule is ERRNO(x), but block the addition of a rule with ERRNO(x). Does that make sense?

We should also apply the same change to the TRACE(x) handling.

[justincormack]

Hi, no that is not what my issue is, that is a different issue. My issue is that I cannot express the rules I want at all, I was just suggesting that perhaps one workaround would be to accept those rules and interpret them as a way of making the required bpf program, as the current format is not expressive enough for me to write the rules I want.

[pcmoore]

Okay, I guess I'm a bit confused by this section of your original problem report:

However it seems to be impossible to have a default action of ERRNO and then add an ERRNO rule to blacklist a particular pattern as we get a "requested action matches default action of filter" error message passed through from libseccomp.

Can you help clarify this for me?

[justincormack]

Well I just thought one way of specifying a blacklist item with a whitelist might be to try to return the same return value as the default, ie errno, but obviously that doesnt work. What I want is:

default errno
if match1 then errno
if match2 then errno
otherwise allow

The actual bpf program wouldnt look quite like this, but the libseccomp format doesnt express jumps...

[pcmoore]

Okay, I think I understand what you are trying to do now and you can't do that, although to be honest you really shouldn't be doing that as there is a simpler approach. Taking your example above:

default errno
if match1 then errno
if match2 then errno
otherwise allow

NOTE: the "otherwise" is slightly ambiguous as it is unclear if it belongs to the second if-condition or the filter as a whole, I'm assuming the latter.

You define a default action of "errno", but in reality the default action is "allow" as your filter only triggers "errno" if "match1" or "match2" are true. I would suggest the following as functionally equivalent and libseccomp-legal alternative:

default allow
if match1 then errno
if match2 then errno

Does that make sense? Am I misunderstanding what you are trying to do?