seccomp

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
seccomp
Original author(s)Andrea Arcangeli
Initial releaseMarch 8, 2005; 16 years ago (2005-03-08)
Written inC
Operating systemLinux
TypeSandboxing
LicenseGNU General Public License
Websitecode.google.com/archive/p/seccompsandbox/wikis/overview.wiki

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS.[1][2] In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the prctl(2) system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17[3]) via the seccomp(2) system call.[4] seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl().[5] In some kernel versions, seccomp disables the RDTSC x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.[6]

seccomp-bpf is an extension to seccomp[7] that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux.[8] (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for Linux.)

Some consider seccomp comparable to OpenBSD pledge(2) and FreeBSD capsicum(4).

History[edit]

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.[9]

Software using seccomp or seccomp-bpf[edit]

References[edit]

  1. ^ Corbet, Jonathan (2015-09-02). "A seccomp overview". lwn. Retrieved 2017-10-05.
  2. ^ "Documentation/prctl/seccomp_filter.txt". Retrieved 2017-10-05.
  3. ^ "Linux kernel 3.17, Section 11. Security". kernelnewbies.org. 2013-10-05. Retrieved 2015-03-31.
  4. ^ "seccomp: add "seccomp" syscall". kernel/git/torvalds/linux.git - Linux kernel source tree. kernel.org. 2014-06-25. Retrieved 2014-08-22.
  5. ^ {{cite capsicum capsicum_(unix)web | url = http://lkml.indiana.edu/hypermail/linux/kernel/0706.1/2525.html | title = [PATCH 1 of 2] move seccomp from /proc to a prctl | access-date = 2013-08-02 | last = Arcangeli | first = Andrea | date = 2007-06-14}}
  6. ^ Tinnes, Julien (2009-05-28). "Time-stamp counter disabling oddities in the Linux kernel". cr0 blog. Retrieved 2013-08-02.
  7. ^ Corbet, Jonathan (2012-01-11). "Yet another new approach to seccomp". lwn. Retrieved 2013-08-02.
  8. ^ Tinnes, Julien (2012-11-19). "A safer playground for your Linux and Chrome OS renderers". The Chromium Blog. Retrieved 2013-08-02.
  9. ^ "[PATCH] seccomp: secure computing support". Linux kernel history. Kernel.org git repositories. 2005-03-08. Archived from the original on 2013-04-15. Retrieved 2013-08-02.
  10. ^ "Seccomp filter in Android O". Android Developers Blog.
  11. ^ "systemd.exec — Execution environment configuration". freedesktop.org. Retrieved 2017-10-14.
  12. ^ Otubo, Eduardo (2017-09-15). "QEMU Sandboxing new model pull request". qemu-devel mailing list archive.
  13. ^ van de Ven, Arjan (2009-02-28). "Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
  14. ^ Torvalds, Linus (2009-02-28). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
  15. ^ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Retrieved 2013-08-02.
  16. ^ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
  17. ^ "Firejail". Firejail. Retrieved 2016-11-26.
  18. ^ Evans, Chris (2012-07-04). "Chrome 20 on Linux and Flash sandboxing". Retrieved 2013-08-02.
  19. ^ Tinnes, Julien (2012-09-06). "Introducing Chrome's next-generation Linux sandbox". cr0 blog. Retrieved 2013-08-02.
  20. ^ "Snap security policy". Archived from the original on 2017-02-04. Retrieved 2017-02-03.
  21. ^ Evans, Chris (2012-04-09). "vsftpd-3.0.0 and seccomp filter sandboxing is here!". Retrieved 2013-08-02.
  22. ^ "Openssh 6.0 release notes". Retrieved 2013-10-14.
  23. ^ "MBOX". Retrieved 2014-05-20.
  24. ^ "LXD an "hypervisor" for containers (based on liblxc)". Retrieved 2014-11-08.
  25. ^ "Where We're Going With LXD". Retrieved 2014-11-08.
  26. ^ Destuynder, Guillaume (2012-09-13). "Firefox Seccomp sandbox". Mozilla Bugzilla. Retrieved 2015-01-13.
  27. ^ Destuynder, Guillaume (2012-09-13). "Firefox Seccomp sandbox". Mozilla Wiki. Retrieved 2015-01-13.
  28. ^ "Tor ChangeLog".
  29. ^ "Lepton image compression: saving 22% losslessly from images at 15MB/s". Dropbox Tech Blog. Retrieved 2016-07-15.
  30. ^ "Kafel: A language and library for specifying syscall filtering policies".
  31. ^ "Subgraph OS". Subgraph. Retrieved 2016-12-18.
  32. ^ "LoganCIJ16: Future of OS". YouTube. Archived from the original on 2021-12-21. Retrieved 2016-12-18.
  33. ^ "The flatpak security model – part 1: The basics". Retrieved 2017-01-21.
  34. ^ "bubblewrap". Retrieved 2018-04-14.
  35. ^ "Chromium OS Sandboxing - the Chromium Projects".
  36. ^ "Minijail [LWN.net]". lwn.net. Retrieved 2017-04-11.
  37. ^ "ptrace and seccomp based sandbox". dev.exherbo.org. Retrieved 2021-05-31.
  38. ^ "index: sydbox-1.git - Ptrace based Sandbox". git.exherbo.org. Retrieved 2021-05-31.
  39. ^ "path: root/packages/sys-apps/sydbox/sydbox.exlib". Retrieved 2021-05-31.
  40. ^ "path: root/packages/sys-apps/sydbox/sydbox.exheres-0". Retrieved 2021-05-31.
  41. ^ "core/trace/use_seccomp". dev.exherbo.org. Retrieved 2021-05-31.
  42. ^ "Specifying Magic Commands:Commands:core/restrict/file_control". dev.exherbo.org. Retrieved 2021-05-31.
  43. ^ "Specifying Magic Commands:Commands:core/restrict/shared_memory_writable". dev.exherbo.org. Retrieved 2021-05-31.
  44. ^ "improve seccomp for read only open calls". git.exherbo.org. Retrieved 2021-05-31.
  45. ^ "new functionality core/restrict/shared_memory_writable". git.exherbo.org. Retrieved 2021-05-31.
  46. ^ "Exherbo - Welcome". exherbo.org. Retrieved 2021-05-31.
  47. ^ "crates.io: Rust Package Registry: Pandora's Box: A helper for SydBox, a ptrace & seccomp based sandbox to make sandboxing practical". crates.io. Retrieved 2021-05-31.
  48. ^ "SydBox Profile for Mozilla Firefox 88.0.1". git.exherbo.org. Retrieved 2021-05-31.
  49. ^ "pinktrace Version 0.9.5". dev.exherbo.org. Retrieved 2021-05-31.
  50. ^ "index: pinktrace-1.git - pink's tracing library". git.exherbo.org. Retrieved 2021-05-31.
  51. ^ "path: root/packages/dev-libs/pinktrace/pinktrace.exlib". git.exherbo.org. Retrieved 2021-05-31.
  52. ^ "path: root/packages/dev-libs/pinktrace/pinktrace.exlib". git.exherbo.org. Retrieved 2021-05-31.
  53. ^ "path: root/pinktrace/read.c -- Based in part upon strace". git.exherbo.org. Retrieved 2021-05-31.
  54. ^ "Work around conflict between <sys/ptrace.h> and <linux/ptrace.h>". gitlab.com. Retrieved 2021-05-31.
  55. ^ "Sydbox v2.0.1: This release is noticably faster than Sydbox-1.2.1 in that it does not ptrace stop the processes anymore. The benchmark at the end of this post has the details. This release also fixes a multithreaded execve race condition which caused hangs". pink.exherbo.org. Retrieved 2021-06-15.
  56. ^ "Pandora v0.5.2: This version of Pandora updates configuration format to Sydbox API Version 2 and only works with SydBox v2.0.1 or newer". pink.exherbo.org. Retrieved 2021-06-15.
  57. ^ "seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE". git.kernel.org. Retrieved 2021-06-15.
  58. ^ "seccomp: avoid overflow in implicit constant conversion". git.kernel.org. Retrieved 2021-06-15.
  59. ^ "seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE". git.kernel.org. Retrieved 2021-06-15.

External links[edit]