kafel icon indicating copy to clipboard operation
kafel copied to clipboard
verified publisher icon google

nsjail requires listing it's own syscalls

Open gtristan opened this issue 1 year ago • 0 comments

Currently I find myself needing to define a base policy for any executables I run:

//
// Kafel policy to allow nsjail a few syscalls to launch the executable.
//
POLICY NsJail {
    ALLOW {
        execve,
        prctl,
        prlimit64
    }
}

Otherwise I am getting audit messages like this:

type=SECCOMP msg=audit(1714125050.685:56): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=12366 comm="nsjail" exe="/usr/bin/nsjail" sig=31 arch=c000003e syscall=59 compat=0 ip=0x7f6dcd26b55b code=0x0AUID="unset" UID="root" GID="root" ARCH=x86_64 SYSCALL=execve

It seems to me that intuitively, nsjail should not apply the seccomp rules to itself, but only to the child, sandboxed process.

gtristan avatar Apr 26 '24 10:04 gtristan