Great Article! As a KubeArmor maintainer, would like to point out to one more quirk of seccomp that resulted us in looking at LSMs (Linux Security Modules) in place of seccomp.
One of the defining limitation of seccomp is that it does not have access to syscall parameters. Imagine having to block delete/unlink only on a certain folder, not block unlink() in general. Or allow chmod() syscall to be executed only as part of process XYZ but not anything else.
Seccomp does not allow dereferencing of these parameters making the rules very high level i.e., block at the syscall level. While this works for few syscalls but it won't work for general scenario for e.g., imagine a popular scenario where you want to allow specific binaries execution and block all others. Seccomp will allow one to block execve() altogether but won't allow granular policies.
One of the goals for KubeArmor was to prevent Remote Command Execution attempts ... We could not handle it with seccomp. This is why we chose LSMs over seccomp for KubeArmor.
Great Article! As a KubeArmor maintainer, would like to point out to one more quirk of seccomp that resulted us in looking at LSMs (Linux Security Modules) in place of seccomp.
One of the defining limitation of seccomp is that it does not have access to syscall parameters. Imagine having to block delete/unlink only on a certain folder, not block unlink() in general. Or allow chmod() syscall to be executed only as part of process XYZ but not anything else.
Seccomp does not allow dereferencing of these parameters making the rules very high level i.e., block at the syscall level. While this works for few syscalls but it won't work for general scenario for e.g., imagine a popular scenario where you want to allow specific binaries execution and block all others. Seccomp will allow one to block execve() altogether but won't allow granular policies.
One of the goals for KubeArmor was to prevent Remote Command Execution attempts ... We could not handle it with seccomp. This is why we chose LSMs over seccomp for KubeArmor.