Monitoring seccomp violations

31 views
Skip to first unread message

Ian Gudger

unread,
Sep 9, 2020, 5:26:24 PM9/9/20
to gvisor...@googlegroups.com
What is the best way to monitor for sentry seccomp violations? I am looking to keep track of both their occurrences and the syscall and args that triggered the violation. I found this commented out line of code that claims to print a stack trace on violation, but this seems to replace the kill action.

Adin Scannell

unread,
Sep 9, 2020, 5:40:20 PM9/9/20
to Ian Gudger, gVisor Users
On Wed, Sep 9, 2020 at 2:26 PM Ian Gudger <i...@iangudger.com> wrote:
What is the best way to monitor for sentry seccomp violations? I am looking to keep track of both their occurrences and the syscall and args that triggered the violation. I found this commented out line of code that claims to print a stack trace on violation, but this seems to replace the kill action.

Newer kernels support a seccomp notifier mechanism. This could be plumbed through somewhere (maybe to the containerd shim?):

The receiver of that notification would be able to log it, then do whatever they want (e.g. kill the sandbox).

Let us know if that's useful and would love to hear about any plans! :)

-- 
You received this message because you are subscribed to the Google Groups "gVisor Users [Public]" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gvisor-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gvisor-users/CANFXSj08jTwz3qVxXio1OcSWsZHSx%2BOwofcWrc0CRWNKKotexQ%40mail.gmail.com.

Ian Gudger

unread,
Sep 10, 2020, 5:47:35 PM9/10/20
to Adin Scannell, gVisor Users
That does look useful, thanks!

I think properly surfacing seccomp violations would make open source gVisor significantly more production ready. In addition to security monitoring, it would aid in debugging seccomp violation related bugs.

Ian Lewis

unread,
Sep 10, 2020, 7:08:23 PM9/10/20
to Ian Gudger, Adin Scannell, gVisor Users
Thanks for the feedback. How do you imagine they could be surfaced? One open-sourcey way I can think of would be to expose them via the `runsc events` command which returns container events and could be extended to support something like this. Perhaps eventually it could be part of a proper client library (e.g. gvisor.dev/issue/238). What do you think?

Could you create an issue for this so it could be tracked?



--

Ian Lewis | Developer Advocate | ianl...@google.com | +81 (03)4540-2465

Ian Gudger

unread,
Sep 10, 2020, 7:26:16 PM9/10/20
to Ian Lewis, Adin Scannell, gVisor Users
I filed gvisor.dev/issue/3905. I am not sure what the right way to surface this information is. At a minimum it should be logged somewhere. It would also be useful to integrate with a monitoring system of some sort or enable custom integration via some mechanism. The important thing is that if you are seeing your sandboxes being killed, it should be possible to find out why.
Reply all
Reply to author
Forward
0 new messages