@screwtape In general, as little C as you can with as limited & as strict an interface as possible.

The reason media decoders are such an egregious use of #C is that I can hardly imagine something exposed to more complex arbitrary input from untrusted sources than that which anyone runs on a common basis.

I'm not sure, I actually did try to see if other OSes did include #SECCOMP-like features and there looked to be nothing similar in #OpenBSD?

Here is the problem, as far as I can tell. There are 2 different "BPF" variants: #BPF and #eBPF. What #LLVM calls BPF is in fact eBPF, while #seccomp only understands non-e BPF.

This was a horrible experience and a complete waste of time. If I need a compiler for security policies, you fucked up and should reconsider the design. (Remember selinux?) If I have to handcraft security policy bytecode, then my choice is between SECCOMP_MODE_STRICT or nothing.

Thank you for coming to my ted talk.

I managed to get #clang compile to #seccomp bytecode. I'm pretty sure it has to take a struct seccomp_data* and return an uint32_t. Pretty sure...

It made a .o file with a weird arch: elf64-bpf. llvm-objdump even shows the disassembled code in it. Now what? I have to pass it to prctl but I have no idea how.

🔥Hot off the press🔥"k8s Operator, Could You Help Me Place SysCall?"

This week we look at Custom #Seccomp Profiles (CSP) and #Security Profiles Operator (SPO), and future #WebAssembly (#Wasm) #k8s #operators.

#kubernetes #kubernetessecurity #ebpf #grpc

https://fudge.org/archive/k8s-operator-could-you-help-me-place-syscall/

Interesting talk from Stéphane Graber as usual, https://fosdem.org/2023/schedule/event/container_syscall_interception/

#fosdem, #lxd, #seccomp

The #Kubernetes Security Profiles Operator made it into #OpenShift 4.12 via the OperatorHub! 🥳

Huge shoutout to everyone involved in making this milestone possible, especially to my @RedHat colleagues! 🫶

#seccomp #selinux

https://sigs.k8s.io/security-profiles-operator

https://docs.openshift.com/container-platform/4.12/security/security_profiles_operator/spo-overview.html

Finally! #seccomp annotations are becoming completely non-functional in #Kubernetes v1.27:

https://github.com/kubernetes/kubernetes/pull/114947

This change will prevent the sync from the seccomp annotations to the native API field. Please upgrade your workloads if you're still using the annotations.

RT @saschagrunert@twitter.com

I wrote a new blog post about: Finding suspicious syscalls with the seccomp notifier

https://kubernetes.io/blog/2022/12/02/seccomp-notifier

Achieving stronger security defaults in #Kubernetes is hard work! But we can utilize new Linux features like #seccomp notify to move further towards this goal.

🐦🔗: https://twitter.com/saschagrunert/status/1598601362694148097

I wrote a new blog post about: Finding suspicious syscalls with the seccomp notifier

https://kubernetes.io/blog/2022/12/02/seccomp-notifier

Achieving stronger security defaults in #Kubernetes is hard work! But we can utilize new Linux features like #seccomp notify to move further towards this goal.

@electrona I use all of them with diffrent profiles. My basic setup includes all of those three - firefox, brave and vivaldi, jailed by #firejail with #seccomp #apparmor and awesome #GrapheneOS hardened malloc library: https://github.com/GrapheneOS/hardened_malloc .

Have you ever wondered how to create and distribute security profiles for #seccomp, #selinux or even #apparmor across your #Kubernetes clusters?

Then give the Security Profiles Operator a try, we release v0.6.0 only a few minutes ago: https://github.com/kubernetes-sigs/security-profiles-operator/releases/tag/v0.6.0 🥳

#seccomp #security profiles for #docker

https://docs.docker.com/engine/security/seccomp/

#articles #docs

I think few people are using the #seccomp profile in their #Docker containers, right? 😏

#linux #security

https://docs.docker.com/engine/security/seccomp/

#InfoSec
> #Firejail: #Insecure Use of #OverlayFS as #Sandbox File System
> Firejail is a #SUID security sandbox program that reduces the risk of #security breaches by restricting the running environment of untrusted applications using #Linux #namespaces and #seccomp-#bpf.
> [...] a #RaceCondition [...] allows creation of or granting write access to arbitrary files.
https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/

Cool article. I hadn't known seccomp was so generic.

https://people.kernel.org/brauner/the-seccomp-notifier-new-frontiers-in-unprivileged-container-development

(Also hadn't known about the time and cgroup namespaces. New since last year)
#linux #kernel #security #containers #seccomp

New blog post: "How to secure a Go application with seccomp"

https://brejoc.com/2019-11-20-how-to-secure-a-go-application-with-seccomp/

#golang #go #security #seccomp #programming #blog