Seccomp security profiles
Manjula Rajamani
Posted on March 20, 2023
This blog post tries to exemplate how to run our code in a "Restricted-service operating mode" using libseccomp library
The Linux Kernel and Syscalls?
The kernel performs many jobs but we are going be focussing
on system calls
Linux Syscalls:
Strace:
Strace is used to record all the system calls made by the
particular requestThen we can use this information to debug or diagnose the problem
Examples:
- The output on the screen after running the strace command was simply system calls made to run the ls command
Save the Trace execution to a file using option -O
The output would be dumped into trace.log file
Take look at the first line in the trace.log file
execve("/usr/bin/ls", ["ls", "test/"], [/* 40 vars */]) = 0
execve, is the name of a system call being executed.
The text within the parentheses is the arguments provided to the system call.
0 is a value returned by the execve system call.
Sorting the Result by Columns using option -c:
Obtaining Timing Information using option -t:
Attaching strace to Running Process using option -p:
Seccomp
seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit() , sigreturn() , read() and write() to already-open file descriptors.
libseccomp
The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism.
Installing the libseccomp Library:
Step 1: Grab the latest release from the release page at libseccomp repository
Step 2: If you are building the libseccomp library from an official release tarball, you should follow the familiar three step process used by most autotools based applications:
- Step 3: Install python3-devel using your package manager of choice to fulfil the dependencies needed
Example Code for Python bindings for the libseccomp library:
def setup_seccomp(log_only):
f = SyscallFilter(ALLOW)
# always log, even when returning an error
f.set_attr(Attr.CTL_LOG, 1)
action = LOG if log_only else ERRNO(errno.EACCES)
# stop executions
f.add_rule(action, "execve")
f.add_rule(action, "execveat")
f.add_rule(action, "vfork")
f.add_rule(action, "fork")
f.load()
print(f'Seccomp enabled...')
Filter action values:
KILL_PROCESS - kill the process
KILL - kill the thread
LOG - allow the syscall to be executed after the action has been logged
ALLOW - allow the syscall to execute
TRAP - a SIGSYS signal will be thrown
NOTIFY - a notification event will be sent via the notification API
ERRNO(x) - syscall will return (x)
TRACE(x) - if the process is being traced, (x) will be returned to the tracing process via PTRACE_EVENT_SECCOMP and the PTRACE_GETEVENTMSG option
Here is my repo which attempts to seccomp a simple python program.
https://github.com/manjularajamani/pyseccomp-playground/tree/main/seccompd-progs
Posted on March 20, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 29, 2024