path: root/security
diff options
authorWill Drewry <wad@chromium.org>2011-07-27 11:27:07 -0500
committerJohn Rigby <john.rigby@linaro.org>2011-11-16 14:26:28 -0700
commitf962be6d9774de958c260cbc41a52ba04c5e2d61 (patch)
treea7944e479d84f2598e7380ca1c2fc0a6df7e4e67 /security
parentbf68901474a217daa6e9ae64204fa106b88e13e6 (diff)
UBUNTU: SAUCE: seccomp_filter: new mode with configurable syscall filters
This change adds a new seccomp mode which specifies the allowed system calls dynamically. When in the new mode (13), all system calls are checked against process-defined filters - first by system call number, then by a filter string. If an entry exists for a given system call and all filter predicates evaluate to true, then the task may proceed. Otherwise, the task is killed. Filter string parsing and evaluation is handled by the ftrace filter engine. Related patches tweak to the perf filter trace and free allowing the calls to be shared. Filters inherit their understanding of types and arguments for each system call from the CONFIG_FTRACE_SYSCALLS subsystem which already populates this information in syscall_metadata associated enter_event (and exit_event) structures. If CONFIG_FTRACE_SYSCALLS is not compiled in, only filter strings of "1" will be allowed. The net result is a process may have its system calls filtered using the ftrace filter engine's inherent understanding of systems calls. The set of filters is specified through the PR_SET_SECCOMP_FILTER argument in prctl(). For example, a filterset for a process, like pdftotext, that should only process read-only input could (roughly) look like: sprintf(rdonly, "flags == %u", O_RDONLY|O_LARGEFILE); type = PR_SECCOMP_FILTER_SYSCALL; prctl(PR_SET_SECCOMP_FILTER, type, __NR_open, rdonly); prctl(PR_SET_SECCOMP_FILTER, type, __NR__llseek, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_brk, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_close, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_exit_group, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_fstat64, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_mmap2, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_munmap, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_read, "1"); prctl(PR_SET_SECCOMP_FILTER, type, __NR_write, "fd == 1 || fd == 2"); prctl(PR_SET_SECCOMP, 13); Subsequent calls to PR_SET_SECCOMP_FILTER for the same system call will be &&'d together to ensure that attack surface may only be reduced: prctl(PR_SET_SECCOMP_FILTER, __NR_write, "fd != 2"); With the earlier example, the active filter becomes: "(fd == 1 || fd == 2) && (fd != 2)" The patch also adds PR_CLEAR_SECCOMP_FILTER and PR_GET_SECCOMP_FILTER. The latter returns the current filter for a system call to userspace: prctl(PR_GET_SECCOMP_FILTER, type, __NR_write, buf, bufsize); while the former clears any filters for a given system call changing it back to a defaulty deny: prctl(PR_CLEAR_SECCOMP_FILTER, type, __NR_write); Note, type may be either PR_SECCOMP_FILTER_EVENT or PR_SECCOMP_FILTER_SYSCALL. This allows for ftrace event ids to be used in lieu of system call numbers. At present, only syscalls:sys_enter_* event id are supported, but this allows for potential future extension of the backend. v11: - Use mode "13" to avoid future overlap; with comment update - Use kref; extra memset; other clean up from msb@chromium.org - Cleaned up Makefile object merging since locally shared symbols are gone v10: - Note that PERF_EVENTS are also needed for ftrace filter engine support. - Removed dependency on ftrace code changes for event_filters (wrapping with perf_events and violating opaqueness for the filter str) - pulled in all the hacks to get access to syscall_metadata and build call objects for filter evaluation. v9: - rebase on to de505e709ffb09a7382ca8e0d8c7dbb171ba5 - disallow PR_SECCOMP_FILTER_EVENT when a compat task is calling as ftrace has no compat_syscalls awareness yet. - return -ENOSYS when filter engine strings are used on a compat call as there are no compat_syscalls events to reference yet. v8: - expand parenthical use during SET_SECCOMP_FILTER to avoid operator precedence undermining attack surface reduction (caught by segoon@openwall.com). Opted to waste bytes on () than reparse to avoid OP_OR precedence overriding extend_filter's intentions. - remove more lingering references to @state - fix incorrect compat mismatch check (anyone up for a Tested-By?) v7: - disallow seccomp_filter inheritance across fork except when seccomp is active. This avoids filters leaking across processes when they are not actively in use but ensure an allowed fork/clone doesn't drop filters. - remove the Mode: print from show as it reflected current and not the filters holder. v6: - clean up minor unnecessary changes (empty lines, ordering, etc) - fix one overly long line - add refcount overflow BUG_ON v5: - drop mutex usage when the task_struct is safe to access directly v4: - move off of RCU to a read/write guarding mutex after paulmck@linux.vnet.ibm.com's feedback (mem leak, rcu fail) - stopped inc/dec refcounts in mutex guard sections - added required changes to init the mutex in INIT_TASK and safely lock around fork inheritance. - added id_type support to the prctl interface to support using ftrace event ids as an alternative to syscall numbers. Behavior is identical otherwise (as per discussion with mingo@elte.hu) v3: - always block execve calls (as per torvalds@linux-foundation.org) - add __NR_seccomp_execve(_32) to seccomp-supporting arches - ensure compat tasks can't reach ftrace:syscalls - dropped new defines for seccomp modes. - two level array instead of hlists (sugg. by olofj@chromium.org) - added generic Kconfig entry that is not connected. - dropped internal seccomp.h - move prctl helpers to seccomp_filter - killed seccomp_t typedef (as per checkpatch) v2: - changed to use the existing syscall number ABI. - prctl changes to minimize parsing in the kernel: prctl(PR_SET_SECCOMP, {0 | 1 | 2 }, { 0 | ON_EXEC }); prctl(PR_SET_SECCOMP_FILTER, __NR_read, "fd == 5"); prctl(PR_CLEAR_SECCOMP_FILTER, __NR_read); prctl(PR_GET_SECCOMP_FILTER, __NR_read, buf, bufsize); - defined PR_SECCOMP_MODE_STRICT and ..._FILTER - added flags - provide a default fail syscall_nr_to_meta in ftrace - provides fallback for unhooked system calls - use -ENOSYS and ERR_PTR(-ENOSYS) for stubbed functionality - added kernel/seccomp.h to share seccomp.c/seccomp_filter.c - moved to a hlist and 4 bit hash of linked lists - added support to operate without CONFIG_FTRACE_SYSCALLS - moved Kconfig support next to SECCOMP - made Kconfig entries dependent on EXPERIMENTAL - added macros to avoid ifdefs from kernel/fork.c - added compat task/filter matching - drop seccomp.h inclusion in sched.h and drop seccomp_t - added Filtering to "show" output - added on_exec state dup'ing when enabling after a fast-path accept. Signed-off-by: Will Drewry <wad@chromium.org> BUG=chromium-os:14496 TEST=built in x86-alex. Out of tree commandline helper test confirms functionality works. Will check in a test into the minijail repo which can be used from autotest. Change-Id: I901595e3399914783739d113a058d83550ddf8e2 Reviewed-on: http://gerrit.chromium.org/gerrit/4814 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> Tested-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'security')
1 files changed, 17 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 77823461d5a..600de40a327 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -2,6 +2,10 @@
# Security configuration
+# Make seccomp filter Kconfig switch below available
+ bool
menu "Security options"
config KEYS
@@ -82,6 +86,19 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+ bool "Enable seccomp-based system call filtering"
+ select SECCOMP
+ help
+ This kernel feature expands CONFIG_SECCOMP to allow computing
+ in environments with reduced kernel access dictated by the
+ application itself through prctl calls. If
+ CONFIG_FTRACE_SYSCALLS and PERF_EVENTS are available, then
+ system call argument-based filtering predicates may be used.
+ See Documentation/prctl/seccomp_filter.txt for more detail.
bool "Enable different security models"
depends on SYSFS