Depot autopilot vs base-linux with seccomp and per-session socket

Stefan Thöni stefan.thoeni at gapfruit.com
Wed Oct 9 17:07:01 CEST 2019


Hello Genodians

I ran into some trouble using seccomp and the base-linux per-session
sockets with the depot autopilot.

First the depot autopilot uses significantly more distinct syscalls and
I dont quite understand why that is. The syscalls used above those used
by the basic test-log are: clone, getpid, sigaltstack, rt_sigaction,
gettimeofday, nanosleep

Can anyone explain why these are nessecary?

The other problem I couldn't solve up to now is that the depot autopilot
seems to use many more sessions than the scenario itself. Even for the
basic test-log scenario at least 512 sessions are used by a single
process as it fails due to running out of socket descriptors when a
socketpair per session is used.

Can anyone explain this behavior? Might there be stale sessions (leak)
in the depot autopilot?

Best regards
Stefan


--
Freundliche Grüsse

Stefan Thöni
Chairman of the Board
Senior Security Architect
+41 79 610 64 95

gapfruit AG
Baarerstrasse 135
6300 Zug
https://gapfruit.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x05D66A288F9939FF.asc
Type: application/pgp-keys
Size: 25417 bytes
Desc: not available
URL: <http://lists.genode.org/pipermail/users/attachments/20191009/dbafcd26/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stefan_thoeni.vcf
Type: text/x-vcard
Size: 173 bytes
Desc: not available
URL: <http://lists.genode.org/pipermail/users/attachments/20191009/dbafcd26/attachment-0001.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.genode.org/pipermail/users/attachments/20191009/dbafcd26/attachment-0001.sig>


More information about the users mailing list