Confirm
502
edits
Changes
First attempt
== What is Seccomp ==
=== Intro to seccomp and seccomp-bpf ===
[http://en.wikipedia.org/wiki/Seccomp Seccomp] stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12.
When enabling seccomp, the process turns into a "secure mode" where only some system calls are available (exit(), read(), write(), sigreturn()).
Seccomp-bpf is a more recent extension to seccomp, which adds the support for [http://en.wikipedia.org/wiki/Berkeley_Packet_Filter BPF (Berkely Packet Filter)] filters.
These filter allow for a more configurable list of system calls that are allowed or denied within the sandbox. Seccomp-bpf is available since Linux version 3.5 and is useable on ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions.
=== How do I call seccomp-bpf ? ===
Seccomp-bpf is turned on through the prctl() system call (process control).
The call looks like that:
#include <sys/prctl.h>
#include <linux/seccomp.h>
[...]
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog)
bpf_prog is a BPF structure which contains the rules used by seccomp-bpf - i.e., which system calls are allowed or not.
To ensure that you can't execute this call again with a more permissive filter program (bpf_prog), there is an additional call to make, no new privileges, which ensures it's only possible to tighten the filter, never to extend it. This means you could first remove access to one system call, then later on in the process lifetime, remove access to more system calls, for example.
Here's the same code, with the no new privileges call:
#include <sys/prctl.h>
#include <linux/seccomp.h>
[...]
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog)
==== Construct a basic filter ====
The filter program can be constructed using BPF filter macros, which are listed in linux's filter.h. Here's a list of commonly used macros for seccomp-bpf:
#include <linux/filter.h>
[...]
#define syscall_nr (offsetof(struct seccomp_data, nr))
#define arch_nr (offsetof(struct seccomp_data, arch))
#define VALIDATE_ARCHITECTURE \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define EXAMINE_SYSCALL \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
#define ALLOW_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
In this example, you could have a filter that validates the architecture you run on supports seccomp-bpf, then allow a list of system calls, and if none match the list, kill the process.
== Use in Gecko ==
Gecko on the desktop and in B2G use seccomp when running on Linux.
The code is in mozilla-central at /security/sandbox/linux.
'''File''' security/sandbox/linux/seccomp_filter.h
Contains a whitelist of allowed system calls.
'''File''' security/sandbox/linux/Sandbox.cpp
Contains the sandbox installation code, called by:
SetCurrentProcessSandbox(void)
== More information ==
See also the kernel documentation:
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/seccomp_filter.txt seccomp-bpf documentation]
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/no_new_privs.txt no new privs documentation]
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/samples/seccomp complete demo code samples]
=== Intro to seccomp and seccomp-bpf ===
[http://en.wikipedia.org/wiki/Seccomp Seccomp] stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12.
When enabling seccomp, the process turns into a "secure mode" where only some system calls are available (exit(), read(), write(), sigreturn()).
Seccomp-bpf is a more recent extension to seccomp, which adds the support for [http://en.wikipedia.org/wiki/Berkeley_Packet_Filter BPF (Berkely Packet Filter)] filters.
These filter allow for a more configurable list of system calls that are allowed or denied within the sandbox. Seccomp-bpf is available since Linux version 3.5 and is useable on ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions.
=== How do I call seccomp-bpf ? ===
Seccomp-bpf is turned on through the prctl() system call (process control).
The call looks like that:
#include <sys/prctl.h>
#include <linux/seccomp.h>
[...]
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog)
bpf_prog is a BPF structure which contains the rules used by seccomp-bpf - i.e., which system calls are allowed or not.
To ensure that you can't execute this call again with a more permissive filter program (bpf_prog), there is an additional call to make, no new privileges, which ensures it's only possible to tighten the filter, never to extend it. This means you could first remove access to one system call, then later on in the process lifetime, remove access to more system calls, for example.
Here's the same code, with the no new privileges call:
#include <sys/prctl.h>
#include <linux/seccomp.h>
[...]
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog)
==== Construct a basic filter ====
The filter program can be constructed using BPF filter macros, which are listed in linux's filter.h. Here's a list of commonly used macros for seccomp-bpf:
#include <linux/filter.h>
[...]
#define syscall_nr (offsetof(struct seccomp_data, nr))
#define arch_nr (offsetof(struct seccomp_data, arch))
#define VALIDATE_ARCHITECTURE \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define EXAMINE_SYSCALL \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
#define ALLOW_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
In this example, you could have a filter that validates the architecture you run on supports seccomp-bpf, then allow a list of system calls, and if none match the list, kill the process.
== Use in Gecko ==
Gecko on the desktop and in B2G use seccomp when running on Linux.
The code is in mozilla-central at /security/sandbox/linux.
'''File''' security/sandbox/linux/seccomp_filter.h
Contains a whitelist of allowed system calls.
'''File''' security/sandbox/linux/Sandbox.cpp
Contains the sandbox installation code, called by:
SetCurrentProcessSandbox(void)
== More information ==
See also the kernel documentation:
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/seccomp_filter.txt seccomp-bpf documentation]
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/no_new_privs.txt no new privs documentation]
* [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/samples/seccomp complete demo code samples]
