seccomp

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

seccomp
Original author(s)Andrea Arcangeli
Initial releaseMarch 8, 2005; 14 years ago (2005-03-08)
Written inC
Operating systemLinux
TypeSandboxing
LicenseGNU General Public License
Websitecode.google.com/archive/p/seccompsandbox/wikis/overview.wiki

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS.[1][2] In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the prctl(2) system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17[3]) via the seccomp(2) system call.[4] seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl().[5] In some kernel versions, seccomp disables the RDTSC x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.[6]

seccomp-bpf is an extension to seccomp[7] that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux.[8] (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for Linux.)

History[edit]

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.[9]

Software using seccomp or seccomp-bpf[edit]

  • Android uses a seccomp-bpf filter in the zygote since Android 8.0 Oreo.[10]
  • systemd's "SystemCallFilter" feature is based on seccomp.[11]
  • QEMU, the Quick Emulator, the core component to the modern virtualization together with KVM uses seccomp on the parameter --sandbox[12]
  • Docker. Docker is a software that allows to run applications inside of isolated containers. Docker can associate a seccomp profile with the container using the --security-opt parameter.
  • Arcangeli's CPUShare was the only known user of seccomp for a while.[13] Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone.[14] However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.[15][16]
  • Firejail is an open source Linux sandbox program that utilizes Linux Namespaces, Seccomp, and other kernel-level security features to sandbox Linux and Wine applications.[17]
  • As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.[18]
  • As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.[19]
  • Snap specify the shape of their application sandbox using 'interfaces' which snapd translates to seccomp, AppArmor and other security constructs[20]
  • vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.[21]
  • OpenSSH has supported seccomp-bpf since version 6.0.[22]
  • Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.[23]
  • LXD, an Ubuntu "hypervisor" for containers[24][25]
  • Firefox and Firefox OS, which use seccomp-bpf[26][27]
  • Tor supports seccomp since 0.2.5.1-alpha[28]
  • Lepton, a JPEG compression tool developed by Dropbox uses seccomp[29]
  • Kafel is a configuration language, which converts readable policies into seccompb-bpf bytecode[30]
  • Subgraph OS uses seccomp-bpf[31][32]
  • Flatpak uses seccomp for process isolation[33]
  • Bubblewrap is a lightweight setuid sandbox application developed from Flatpak[34]
  • minijail uses seccomp for process isolation[35]

References[edit]

  1. ^ Corbet, Jonathan (2015-09-02). "A seccomp overview". lwn. Retrieved 2017-10-05.
  2. ^ "Documentation/prctl/seccomp_filter.txt". Retrieved 2017-10-05.
  3. ^ "Linux kernel 3.17, Section 11. Security". kernelnewbies.org. 2013-10-05. Retrieved 2015-03-31.
  4. ^ "seccomp: add "seccomp" syscall". kernel/git/torvalds/linux.git - Linux kernel source tree. kernel.org. 2014-06-25. Retrieved 2014-08-22.
  5. ^ Arcangeli, Andrea (2007-06-14). "[PATCH 1 of 2] move seccomp from /proc to a prctl". Retrieved 2013-08-02.
  6. ^ Tinnes, Julien (2009-05-28). "Time-stamp counter disabling oddities in the Linux kernel". cr0 blog. Retrieved 2013-08-02.
  7. ^ Corbet, Jonathan (2012-01-11). "Yet another new approach to seccomp". lwn. Retrieved 2013-08-02.
  8. ^ Tinnes, Julien (2012-11-19). "A safer playground for your Linux and Chrome OS renderers". The Chromium Blog. Retrieved 2013-08-02.
  9. ^ "[PATCH] seccomp: secure computing support". Linux kernel history. Kernel.org git repositories. 2005-03-08. Archived from the original on 2013-04-15. Retrieved 2013-08-02.
  10. ^ "Seccomp filter in Android O". Android Developers Blog.
  11. ^ "systemd.exec — Execution environment configuration". freedesktop.org. Retrieved 2017-10-14.
  12. ^ Otubo, Eduardo (2017-09-15). "QEMU Sandboxing new model pull request". qemu-devel mailing list archive.
  13. ^ van de Ven, Arjan (2009-02-28). "Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
  14. ^ Torvalds, Linus (2009-02-28). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
  15. ^ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Retrieved 2013-08-02.
  16. ^ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
  17. ^ "Firejail". Firejail. Retrieved 2016-11-26.
  18. ^ Evans, Chris (2012-07-04). "Chrome 20 on Linux and Flash sandboxing". Retrieved 2013-08-02.
  19. ^ Tinnes, Julien (2012-09-06). "Introducing Chrome's next-generation Linux sandbox". cr0 blog. Retrieved 2013-08-02.
  20. ^ "Snap security policy". Archived from the original on 2017-02-04. Retrieved 2017-02-03.
  21. ^ Evans, Chris (2012-04-09). "vsftpd-3.0.0 and seccomp filter sandboxing is here!". Retrieved 2013-08-02.
  22. ^ "Openssh 6.0 release notes". Retrieved 2013-10-14.
  23. ^ "MBOX". Retrieved 2014-05-20.
  24. ^ "LXD an "hypervisor" for containers (based on liblxc)". Retrieved 2014-11-08.
  25. ^ "Where We're Going With LXD". Retrieved 2014-11-08.
  26. ^ Destuynder, Guillaume (2012-09-13). "Firefox Seccomp sandbox". Mozilla Bugzilla. Retrieved 2015-01-13.
  27. ^ Destuynder, Guillaume (2012-09-13). "Firefox Seccomp sandbox". Mozilla Wiki. Retrieved 2015-01-13.
  28. ^ "Tor ChangeLog".
  29. ^ "Lepton image compression: saving 22% losslessly from images at 15MB/s". Dropbox Tech Blog. Retrieved 2016-07-15.
  30. ^ "Kafel: A language and library for specifying syscall filtering policies".
  31. ^ "Subgraph OS". Subgraph. Retrieved 2016-12-18.
  32. ^ "LoganCIJ16: Future of OS". YouTube. Retrieved 2016-12-18.
  33. ^ "The flatpak security model – part 1: The basics". Retrieved 2017-01-21.
  34. ^ "bubblewrap". Retrieved 2018-04-14.
  35. ^ "Minijail [LWN.net]". lwn.net. Retrieved 2017-04-11.

External links[edit]