seccomp

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Seccomp
Original author(s) Andrea Arcangeli
Initial release March 8, 2005; 9 years ago (2005-03-08)
Development status mainlined
Written in C
Operating system Linux kernel
Type Sandboxing
License GNU General Public License
Website code.google.com/p/seccompsandbox/wiki/overview

seccomp (short for secure computing mode) is a simple but solid secure-computing facility (sandboxing mechanism) for the Linux kernel. It was added to version 2.6.12 of the Linux kernel mainline on March 8, 2005.[1] It allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the prctl(2) system call using the PR_SET_SECCOMP argument. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl().[2] In some kernel versions, seccomp disables the RDTSC x86 instruction.[clarification needed][3]

Uses[edit]

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs.

Arcangeli's CPUShare[dead link] was the only known user of this feature.[4] Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone.[5] However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.[6][7]

As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.[8] As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.[9]

Vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.[10]

OpenSSH has supported seccomp-bpf since version 6.0.[11]

seccomp-bpf[edit]

seccomp-bpf is an extension to seccomp[12] that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux.[13]

References[edit]

  1. ^ "[PATCH] seccomp: secure computing support". Linux kernel history. Kernel.org git repositories. 2005-03-08. Retrieved 2013-08-02. 
  2. ^ Arcangeli, Andrea (2007-06-14). "[PATCH 1 of 2] move seccomp from /proc to a prctl". Retrieved 2013-08-02. 
  3. ^ Tinnes, Julien (2009-05-28). "Time-stamp counter disabling oddities in the Linux kernel". cr0 blog. Retrieved 2013-08-02. 
  4. ^ van de Ven, Arjan (2009-02-28). "Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02. 
  5. ^ Torvalds, Linus (2009-02-28). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02. 
  6. ^ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Retrieved 2013-08-02. 
  7. ^ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02. 
  8. ^ Evans, Chris (2012-07-04). "Chrome 20 on Linux and Flash sandboxing". Retrieved 2013-08-02. 
  9. ^ Tinnes, Julien (2012-09-06). "Introducing Chrome's next-generation Linux sandbox". cr0 blog. Retrieved 2013-08-02. 
  10. ^ Evans, Chris (2012-04-09). "vsftpd-3.0.0 and seccomp filter sandboxing is here!". Retrieved 2013-08-02. 
  11. ^ "Openssh 6.0 release notes". Retrieved 2013-10-14. 
  12. ^ Corbet, Jonathan (2012-01-11). "Yet another new approach to seccomp". lwn. Retrieved 2013-08-02. 
  13. ^ Tinnes, Julien (2012-11-19). "A safer playground for your Linux and Chrome OS renderers". The Chromium Blog. Retrieved 2013-08-02. 

External links[edit]