Flatpak does seccomp syscall filtering like Docker containers does on Linux
- Is there a limited set of syscalls for bin/python in general use?
- A given application which uses Python only needs certain syscalls, and there's no way to specify which in the python packaging ecosystem yet; so, tools that dynamically trace syscalls at runtime (while running integration tests of the complete application, or tests of packages or modules or callables) are useful for generating and manually cleaning up an allow list of access control rules.
The
stopdisablingselinux.com talk has a walkthrough of audit2allow, which tails dmesg (journalctl --dmesg) and generates candidate SELinux Policies.
"WIP: Add an all-syscalls feature which disables seccomp filtering" :
- list of reasons to not run flatpaks without seccomp
Seccomp syscall filter rules are Linux only, though; so
A more abstract permission set similar to Android's list of strings for package manifest.xml files
which is *verifiably* implemented as {e.g. seccomp, AppArmor, SELinux Policies, and MacOS and Windows equivalents}
prior to cryptographically-signing the package manifests
(and uploading to e.g. PyPI where what's uploaded will be TUF-signed)
would be necessary.
Potential development workflow changes:
1. Update setup.py: add os-portable permission strings and/or os-specific rules to package's' setup.py's and meta.yml's, modules, and/or callables
2.
3. Generate {setup.py console_script package entrypoint scripts with syscall filtering, flatpak packages with syscall filtering, AppArmor scripts, SELinux Policies, and OCI container seccomp config ,} without having to again trace syscalls while running tests
4.
5. Generate config dicts for IDK subprocess.safe_Popen(security_opts=) ?
(Given each package's os-portable permission strings and/or os-specific rules)
6. Determine whether plain Python code even needs WASI system access when run in a WASM runtime (which can be imported from CPython with e.g. emscripten-forge/pyjs-code-runner, (which doesn't itself do seccomp syscall filtering))