News: 0000826897

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Brauner: The Seccomp Notifier – New Frontiers in Unprivileged Container Development

([Kernel] Jul 23, 2020 19:54 UTC (Thu) (corbet))


Christian Brauner has posted [1]a novella-length description of the seccomp notifier mechanism and the problems it is meant to solve. " So from the section above it should be clear that seccomp provides a few desirable properties that make it a natural candidate to look at to help solve our mknod(2) and mount(2) problem. Since seccomp intercepts syscalls early in the syscall path it already gives us a hook into the syscall path of a given task. What is missing though is a way to bring another task such as the LXD container manager into the picture. Somehow we need to modify seccomp in a way that makes it possible for a container manager to not just be informed when a task inside the container performs a syscall it wants to be informed about but also how can to make it possible to block the task until the container manager instructs the kernel to allow it to proceed. "



[1] https://people.kernel.org/brauner/the-seccomp-notifier-new-frontiers-in-unprivileged-container-development

As I argued in "Beloved Son", a book about my son Brian and the subject
of religious communes and cults, one result of proper early instruction
in the methods of rational thought will be to make sudden mindless
conversions -- to anything -- less likely. Brian now realizes this and
has, after eleven years, left the sect he was associated with. The
problem is that once the untrained mind has made a formal commitment to
a religious philosophy -- and it does not matter whether that philosophy
is generally reasonable and high-minded or utterly bizarre and
irrational -- the powers of reason are surprisingly ineffective in
changing the believer's mind.
-- Steve Allen, comedian, from an essay in the book "The Courage of
Conviction", edited by Philip Berman