#cf seccomp #cf


hjinkim@...
 


Hi.
As you see the image I inserted above,
Currently there is no support for configurable Seccomp Filtering in CFAR Garden v1.40.0. Do you have any plan to support configurable Seccomp filtering in CFAR Garden sooner or later?


Julz Friedman
 

Hi hjinkim - the 'configurable' column in that table actually means whether you can opt in/out of the feature, not whether you can configure it (admittedly that's rather unclear!). Garden enables seccomp by default and does not allow opting out (hence it's marked as false in the configurable column), and there are no plans to change that.

Although the table doesn't show it, it would also be possible - as I think you're suggesting - to allow configuring custom seccomp rules for particular containers. We don't currently have plans to allow that because it would require exposing quite a lot of new complexity to users which would be difficult given the Cloud Foundry UX (we try to hide low-level details from users), and might risk allowing users to ask for less secure rules than we would want. Do you have a particular use case in mind where you would want more configurable rules than the defaults we set out of the box?

Thanks!
Julz


On Thu, 29 Nov 2018 at 10:52 <hjinkim@...> wrote:

Hi.
As you see the image I inserted above,
Currently there is no support for configurable Seccomp Filtering in CFAR Garden v1.40.0. Do you have any plan to support configurable Seccomp filtering in CFAR Garden sooner or later?


hjinkim@...
 

I think that there is AllowSyscall list inside seccomp.go of guardian as a default. I just wanted to provide this AllowSyscall list as an option each time when I push an app. That's too bad to hear that you have currently no plan to change the configurable option on it.

Thank you for your kind answer.