Allow CAP_NET_RAW in chronitons
Currently all forms of raw sockets within chronitons are blocked (by dropping CAP_NET_RAW
from the container). Certain types of raw networking access are problematic from the checkpointing and restoration process (e.g. socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
sockets used by nmap -sS
mode), while others are fine (e.g. the socket set up by libpcap for use by tcpdump
, or ICMP via ping
). The capability dropping method of blocking the problematic socket modes is of low specificity, and also impacts the benign uses. The ability to use raw sockets to communicate with external hosts will always be limited by the networking security infrastructure surrounding chronitons, so enabling the nmap use case is not a priority, but enabling libpcap for packet capture is valuable.
A more selective blocking might be possible in the mid term future by using a customized seccomp-bpf profile (which is the method used to block the ptrace
system call), or support for currently problematic socket configurations may be added to the checkpointing and restoration system. Current settings err on the side of checkpoint capture stability.