From Fedora Project Wiki
(Page creation)
 
 
(25 intermediate revisions by 3 users not shown)
Line 2: Line 2:
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->


= Syscall Filters
= Syscall Filters =


== Summary ==
== Summary ==


Syscall filtering is a security mechanism that allows applications to define which syscalls it should be allowed to execute.
Syscall filtering is a security mechanism that allows applications to define which syscalls they should be allowed to execute.


== Owner ==
== Owner ==
Line 16: Line 16:
== Current status ==
== Current status ==
* Targeted release: [[Releases/18 | Fedora 18 ]]  
* Targeted release: [[Releases/18 | Fedora 18 ]]  
* Last updated: June 6 2012
* Last updated: August 16, 2012
* Percentage of completion: 0%
* Percentage of completion: 100%


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
The syscall filtering concept, and the motivation behind it, is fairly simple; the Linux Kernel supports a very large number of system calls (syscalls), over 300 on x86_64 for the 64 bit implementations alone, with applications typically requiring only a very small subset of these syscalls to function normally.  Through the use of syscall filters we can disable certain syscalls on an application by application basis, limiting the potential attack surface of the kernel and reducing the likelihood that a malicious application could exploit a kernel vulnerability.
The Linux Kernel's enhanced/mode-2 seccomp functionality is designed to allow applications to specify a filter that is applied to their own syscalls; the filter can specify just the syscall itself or the syscall in conjunction with a specific set of arguments.  The kernel's seccomp filter API is the Berkley Packet Filter (BPF) language, the same as used in the Linux socket filters, but adapted for use with syscalls.  The libseccomp library adds an abstraction layer on top of the kernel's seccomp API, allowing application developers a more user-friendly API based on function calls and not the BPF assembly language.


== Benefit to Fedora ==
== Benefit to Fedora ==
Improved security for applications that use syscall filtering.
Increased resistance to exploiting kernel vulnerabilities from applications which implement seccomp based syscall filtering.


== Scope ==
== Scope ==
* Get seccomp into upstream kernel (currently queued for 3.5): DONE
* Get seccomp into upstream kernel: DONE, present in 3.5-rc1
* Package libseccomp for Fedora (not done)
* Package libseccomp for Fedora: DONE, present in Fedora Rawhide [https://bugzilla.redhat.com/show_bug.cgi?id=830992 BZ 830992]
 
* Get the QEMU/libseccomp patch accepted upstream: DONE, present in 1.2-rc0
For a demo application at least QEMU should be using syscall filtering by F18, so:
* Update Fedora QEMU package to build against libseccomp: NOT DONE
* Patch upstream QEMU to use libseccomp for syscall filtering (in progress)
* Build QEMU in fedora against libseccomp to auto enable syscall filtering (not done)


== How To Test ==
== How To Test ==
Line 47: Line 48:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
TBD
Kernel
* The traditional kernel regression tests should be preformed to ensure that the kernel's seccomp functionality does not impact the expected functionality when not enabled by the application at runtime.  Requires Linux >= 3.5 built with CONFIG_SECCOMP_FILTER enabled.
 
Libseccomp
* The libseccomp sources contain a series of automated tests which can be used to test the library's internal seccomp filter generation.  It is important to note that these automated tests are tested via a seccomp BPF simulator and not the kernel.
* A simple negative test could be developed to validate that libseccomp and the kernel perform as expected when a syscall is blocked.
 
QEMU
* The traditional QEMU regression tests should be performed to ensure that QEMU's normal functionality is not impacted by the libseccomp patches.  Requires libseccomp >= 1.0.0 and QEMU 1.2.  QEMU should be built with the "--enable-libseccomp" flag and run with the "-sandbox on" command line option.


== User Experience ==
== User Experience ==
Line 54: Line 63:
== Dependencies ==
== Dependencies ==
* Kernel updated to 3.5
* Kernel updated to 3.5
* libseccomp packaged
* libseccomp included in Fedora
* Qemu updated to 1.2
* QEMU upstream includes support for libseccomp


Any other apps that want to use this functionality need the the first two bits.
Applications other than QEMU wishing to use libseccomp only require the kernel and libseccomp support items listed above.


== Contingency Plan ==
== Contingency Plan ==
Line 65: Line 74:
* https://lwn.net/Articles/494252/ (article about syscall filtering)
* https://lwn.net/Articles/494252/ (article about syscall filtering)
* http://libseccomp.sf.net/ (helper library)
* http://libseccomp.sf.net/ (helper library)
* https://lists.gnu.org/archive/html/qemu-devel/2012-05/msg00623.html (initial qemu support posting)
* https://lists.gnu.org/archive/html/qemu-devel/2012-05/msg00623.html (initial QEMU libseccomp patch posting)


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
* The libseccomp library is now available, which provides applications with an easy way to reduce the potential damage of exploits, leveraging kernel syscall filters. Virtual machines benefit from this as QEMU/KVM now uses libseccomp.


== Comments and Discussion ==
== Comments and Discussion ==
Line 76: Line 85:




[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF18]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 21:33, 16 August 2012


Syscall Filters

Summary

Syscall filtering is a security mechanism that allows applications to define which syscalls they should be allowed to execute.

Owner

  • Name: Cole Robinson
  • Email: crobinso@redhat.com
  • Name: Paul Moore
  • Email: pmoore@redhat.com

Current status

  • Targeted release: Fedora 18
  • Last updated: August 16, 2012
  • Percentage of completion: 100%

Detailed Description

The syscall filtering concept, and the motivation behind it, is fairly simple; the Linux Kernel supports a very large number of system calls (syscalls), over 300 on x86_64 for the 64 bit implementations alone, with applications typically requiring only a very small subset of these syscalls to function normally. Through the use of syscall filters we can disable certain syscalls on an application by application basis, limiting the potential attack surface of the kernel and reducing the likelihood that a malicious application could exploit a kernel vulnerability.

The Linux Kernel's enhanced/mode-2 seccomp functionality is designed to allow applications to specify a filter that is applied to their own syscalls; the filter can specify just the syscall itself or the syscall in conjunction with a specific set of arguments. The kernel's seccomp filter API is the Berkley Packet Filter (BPF) language, the same as used in the Linux socket filters, but adapted for use with syscalls. The libseccomp library adds an abstraction layer on top of the kernel's seccomp API, allowing application developers a more user-friendly API based on function calls and not the BPF assembly language.

Benefit to Fedora

Increased resistance to exploiting kernel vulnerabilities from applications which implement seccomp based syscall filtering.

Scope

  • Get seccomp into upstream kernel: DONE, present in 3.5-rc1
  • Package libseccomp for Fedora: DONE, present in Fedora Rawhide BZ 830992
  • Get the QEMU/libseccomp patch accepted upstream: DONE, present in 1.2-rc0
  • Update Fedora QEMU package to build against libseccomp: NOT DONE

How To Test

Kernel

  • The traditional kernel regression tests should be preformed to ensure that the kernel's seccomp functionality does not impact the expected functionality when not enabled by the application at runtime. Requires Linux >= 3.5 built with CONFIG_SECCOMP_FILTER enabled.

Libseccomp

  • The libseccomp sources contain a series of automated tests which can be used to test the library's internal seccomp filter generation. It is important to note that these automated tests are tested via a seccomp BPF simulator and not the kernel.
  • A simple negative test could be developed to validate that libseccomp and the kernel perform as expected when a syscall is blocked.

QEMU

  • The traditional QEMU regression tests should be performed to ensure that QEMU's normal functionality is not impacted by the libseccomp patches. Requires libseccomp >= 1.0.0 and QEMU 1.2. QEMU should be built with the "--enable-libseccomp" flag and run with the "-sandbox on" command line option.

User Experience

Ideally this feature shouldn't be noticeable to the user, the syscall filtering should allow normal execution of the application. Intention is that only people trying to exploit security holes notice that the syscall they are trying to use is blocked :)

Dependencies

  • Kernel updated to 3.5
  • libseccomp included in Fedora
  • QEMU upstream includes support for libseccomp

Applications other than QEMU wishing to use libseccomp only require the kernel and libseccomp support items listed above.

Contingency Plan

Since this is brand new functionality, if it doesn't make it in time for F18, nothing has changed. We just drop this feature page.

Documentation

Release Notes

  • The libseccomp library is now available, which provides applications with an easy way to reduce the potential damage of exploits, leveraging kernel syscall filters. Virtual machines benefit from this as QEMU/KVM now uses libseccomp.

Comments and Discussion