bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard
verified publisher icon containers

Support for generating a system call log

Open DemiMarie opened this issue 6 years ago • 0 comments

On systems where bwrap is setuid root, it is not possible to ptrace the container. This is annoying, but okay in most cases.

However, one extremely useful feature of playpen is support for a learning mode for generating system call whitelists. This does not need to be part of bwrap itself, but I would like to write a wrapper that does have such support. For this to work when bwrap is setuid root, I need bwrap to be able to log system calls made by the container to a file descriptor that I pass to bwrap. The wrapper program can then generate a system call filter from this. A typical use-case is to run a trusted container in learning mode to generate the whitelist, and then run the container on untrusted data with the whitelist enforced.

The format does not need to be human-readable, but should be easily parsed by programs. A binary stream of struct bwrap_syscall would work, defined as:

struct bwrap_syscall {
	uint64_t syscall;
	uint64_t args[6];
};

DemiMarie avatar Jun 25 '19 15:06 DemiMarie