Seccomp security profiles

manjularajamani

Manjula Rajamani

Posted on March 20, 2023

Seccomp security profiles

This blog post tries to exemplate how to run our code in a "Restricted-service operating mode" using libseccomp library

The Linux Kernel and Syscalls?

The kernel performs many jobs but we are going be focussing
on system calls

Linux Syscalls:

Strace:

  • Strace is used to record all the system calls made by the
    particular request

  • Then we can use this information to debug or diagnose the problem

Examples:

  • The output on the screen after running the strace command was simply system calls made to run the ls command

Image description

Save the Trace execution to a file using option -O

Image description

The output would be dumped into trace.log file

Take look at the first line in the trace.log file

execve("/usr/bin/ls", ["ls", "test/"], [/* 40 vars */]) = 0

  • execve, is the name of a system call being executed.

  • The text within the parentheses is the arguments provided to the system call.

  • 0 is a value returned by the execve system call.

Sorting the Result by Columns using option -c:

Image description

Obtaining Timing Information using option -t:

Image description

Attaching strace to Running Process using option -p:

Image description

Image description

Seccomp

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit() , sigreturn() , read() and write() to already-open file descriptors.

libseccomp

The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism.

Installing the libseccomp Library:

  • Step 1: Grab the latest release from the release page at libseccomp repository

  • Step 2: If you are building the libseccomp library from an official release tarball, you should follow the familiar three step process used by most autotools based applications:

Image description

  • Step 3: Install python3-devel using your package manager of choice to fulfil the dependencies needed

Example Code for Python bindings for the libseccomp library:

def setup_seccomp(log_only):
    f = SyscallFilter(ALLOW)
    # always log, even when returning an error
    f.set_attr(Attr.CTL_LOG, 1)
    action = LOG if log_only else ERRNO(errno.EACCES)
    # stop executions
    f.add_rule(action, "execve")
    f.add_rule(action, "execveat")
    f.add_rule(action, "vfork")
    f.add_rule(action, "fork")
    f.load()
    print(f'Seccomp enabled...')
Enter fullscreen mode Exit fullscreen mode

Filter action values:

KILL_PROCESS - kill the process
KILL         - kill the thread
LOG          - allow the syscall to be executed after the action has been logged
ALLOW        - allow the syscall to execute
TRAP         - a SIGSYS signal will be thrown
NOTIFY       - a notification event will be sent via the notification API
ERRNO(x)     - syscall will return (x)
TRACE(x)     - if the process is being traced, (x) will be returned to the tracing process via PTRACE_EVENT_SECCOMP and the PTRACE_GETEVENTMSG option
Enter fullscreen mode Exit fullscreen mode

Here is my repo which attempts to seccomp a simple python program.

https://github.com/manjularajamani/pyseccomp-playground/tree/main/seccompd-progs

💖 💪 🙅 🚩
manjularajamani
Manjula Rajamani

Posted on March 20, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related