Seccomp-based system call filtering for Upstart
Starting with 3.5 the kernel security feature "seccomp" has been transformed into a filtering mechanism that allows processes to specify a filter for system calls using BPF. Individual system calls can be allowed, denied (killing the offensive program), or completely bypassed while setting errno. (And there's also "trap" and "trace", see kernel docs). This feature was already introduced in the Ubuntu 12.04LTS kernels.
Systemd already has an implementation for Seccomp filtering using "SystemCallFilter" (see: http://
The EBNF representation I'm thinking of would be:
seccomp filter = "seccomp-filter", white space, [ "~" ], seccomp rules;
seccomp rules = seccomp rule, { ",", seccomp rule };
seccomp rule = systemcall, [ ":", policy ];
policy = "allow" | "errno" | "kill" | "trace" | "trap";
The default policy is "allow explicitly listed syscalls as default policy, kill for anything not explicitly listed", unless the set of rules is prepended with "~" which reverts this (deny explicitly listed syscalls as default policy, allow anything not explicitly listed"
E.g.:
seccomp-filter write
for "echo hello world".
or:
seccomp-filter getrlimit:
for a fictional program that is allowed to call getrlimit and setrlimit, but the latter will simply be ignored.
or:
seccomp-filter ~setuid, socket
to prevent the usage of setuid and socket
Most of this is already implemented in a Seccomp exec wrapper I wrote which can be found here:
https:/
References:
https:/
http://
http://
https:/
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Current progress:
- I have a very simple, working concept on top of upstart-1.5 for hostname.conf, only allowing sethostname and the calls required by default for exec-ing and exiting a program.
- I am still figuring out how the development process works for Ubuntu. E.g. who should fill in the optional fields of this blueprint? Is someone going to review my changes and provide me with feedback? And where can I post my current progress...
- At the moment seccomp is only supported for x86 and amd64, while ARM support is already implemented for ChromeOS but not yet added to mainline. I haven't taken this into account, my modification may not compile for ARM or other architectures.
- A related upstart job option should probably be added to upstart to support setting or not setting the "No New Privileges" prctl, in most cases setting this is required for seccomp to work. (See systemd.exec)
- For trap and errno policies in a seccomp filter a return-value can be set, I still need to implement this, but I am thinking of:
"errno" | "trap", [ "(", short integer, ")" ];