[MESOS-9456] Set `SCMP_FLTATR_CTL_LOG` attribute during initialization of Seccomp context - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: containerization
Labels:

Epic Link:
Seccomp Improvement
Story Points:
3

Description

Since version 4.14 the Linux kernel supports SECCOMP_FILTER_FLAG_LOG flag which can be used for enabling logging for all Seccomp filter operations except SECCOMP_RET_ALLOW. If a Seccomp filter does not allow the system call, then the kernel will print a message into dmesg during invocation of this system call.

At the moment libseccomp ver. 2.3.3 does not provide this flag, but the latest master branch of libseccomp supports SECCOMP_FILTER_FLAG_LOG. So, we need to add

seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1);

into `SeccompFilter::create()` when the newest version of libseccomp will be released (v2.3.4+).

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Andrei Budnik

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Dec/18 15:02

Updated:: 27/Feb/19 14:32