Yet another new approach to seccomp [LWN.net]

By Jonathan Corbet
January 11, 2012

Over the years, we have seen a number of attempts to use the seccomp ("secure computing") mechanism to reduce the range of operations available to a given process. The hope is to use such a mechanism as part of a sandboxing solution that would allow (for example) a web browser to run third-party code in a safer manner. Thus far, all of these attempts have gone down in flames; see Seccomp filters: no clear path from last May for the most recent episode in this particular story.

Things have been quiet on the seccomp front recently - until now. Will Drewry, who has been behind the recent attempts to enhance seccomp, has come up with an interesting new approach to the problem. Whether this attempt will be more successful than its predecessors remains to be seen, but Will has managed to step around some of the traps that doomed his previous attempt.

In the last seccomp discussion, there was a fair amount of pressure to adapt the kernel's tracing infrastructure to this task; there was also resistance to using that infrastructure in that way. As explained in detail in the patch posting, Will has come to the conclusion that the tracing infrastructure is not really fit for the task anyway:

At every turn, it appears that the tracing infrastructure was unsuited for being used for attack surface reduction or as a larger security subsystem on its own. It is well suited for feeding a policy enforcement mechanism (like seccomp), but not for letting the logic co-exist. It doesn't mean that it has security problems, just that there will be a continued struggle between having a really good perf system and and really good kernel attack surface reduction system if they were merged.

Will's new approach has a stroke of brilliance to it: rather than use the ftrace filter mechanism, he has repurposed the networking layer's packet filtering mechanism (BPF). The BPF code normally operates on packets; in the seccomp context, instead, it operates on the register set at the time of each system call. The registers will contain the system call number and its parameters, allowing the filter to make a wide range of decisions on what will (or will not) be allowed. BPF is also well-maintained and well-optimized code; it even has an in-kernel just-in-time compiler. Some of these advantages are lost because seccomp uses its own BPF interpreter; one assumes that a way could be found to merge the two implementations if the underlying idea looks like it will pass muster.

As of this writing, there has not really been time for comments on the new patch. It will be interesting to see what the developers think. Meanwhile, those wanting more information should see the patch posting and the documentation file, which includes a sample program showing how to use the new facility.

(Log in to post comments)

architecture independent seccomp policies

Posted Jun 1, 2012 16:57 UTC (Fri) by whacker (guest, #55546) [Link]

How does this stop implementing syscalls in their own code?

architecture independent seccomp policies

Posted Jul 17, 2012 18:34 UTC (Tue) by pcmoore (guest, #37989) [Link]

See libseccomp -> https://lwn.net/Articles/494252

Yet another new approach to seccomp

Posted Jan 13, 2012 1:32 UTC (Fri) by ebiederm (subscriber, #35028) [Link]

BPF is nice because it is trivial to verify and does not allow backwards branches.

It seems an obvious choice of scripting engine for filtering to me.

Yet another new approach to seccomp

Posted Jul 24, 2012 6:51 UTC (Tue) by jamesmorris (subscriber, #82698) [Link]

All great ideas seem "obvious" after the fact.

It's an inspired work of engineering.

Yet another new approach to seccomp

Posted Jan 15, 2012 10:20 UTC (Sun) by liljencrantz (guest, #28458) [Link]

You mean like Lunatik, the Lua interpreter embedded in the NetBSD kernel?

Yet another new approach to seccomp

Posted Jan 15, 2012 22:17 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

/me runs away screaming