|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2020-07-23 19:54:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
Brauner: The Seccomp Notifier – New Frontiers in Unprivileged Container Development
Christian Brauner has posted a
novella-length description of the seccomp notifier mechanism and the
problems it is meant to solve.
"So from the section above it should be clear that seccomp provides a
few desirable properties that make it a natural candidate to look at to help
solve our mknod(2) and mount(2) problem. Since seccomp intercepts syscalls
early in the syscall path it already gives us a hook into the syscall path
of a given task. What is missing though is a way to bring another task
such as the LXD container manager into the picture. Somehow we need to
modify seccomp in a way that makes it possible for a container manager to
not just be informed when a task inside the container performs a syscall it
wants to be informed about but also how can to make it possible to block
the task until the container manager instructs the kernel to allow it to
proceed."
Christian Brauner has posted a
novella-length description of the seccomp notifier mechanism and the
problems it is meant to solve.
"So from the section above it should be clear that seccomp provides a
few desirable properties that make it a natural candidate to look at to help
solve our mknod(2) and mount(2) problem. Since seccomp intercepts syscalls
early in the syscall path it already gives us a hook into the syscall path
of a given task. What is missing though is a way to bring another task
such as the LXD container manager into the picture. Somehow we need to
modify seccomp in a way that makes it possible for a container manager to
not just be informed when a task inside the container performs a syscall it
wants to be informed about but also how can to make it possible to block
the task until the container manager instructs the kernel to allow it to
proceed."
