user-supplied seccomp filtering using BPF [LWN.net]

From:		Will Drewry <wad@chromium.org>
To:		linux-kernel@vger.kernel.org
Subject:		[PATCH v7 0/8] user-supplied seccomp filtering using BPF
Date:		Fri, 10 Feb 2012 22:39:03 -0600
Message-ID:		<1328935151-6908-1-git-send-email-wad@chromium.org>
Cc:		keescook@chromium.org, john.johansen@canonical.com, serge.hallyn@canonical.com, coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com, djm@mindrot.org, torvalds@linux-foundation.org, segoon@openwall.com, rostedt@goodmis.org, jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com, penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, wad@chromium.org, luto@mit.edu, mingo@elte.hu, akpm@linux-foundation.org, khilman@ti.com, borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com, ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de, dhowells@redhat.com, daniel.lezcano@free.fr, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, olofj@chromium.org, mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net, alan@lxorguk.ukuu.org.uk, indan@nul.nu, mcgrathr@chromium.org, davem@davemloft.net, vapier@gentoo.org, heiko.carstens@de.ibm.com, shemminger@vyatta.com, paulmck@linux.vnet.ibm.com, joe@perches.com, netdev@vger.kernel.org, peterz@infradead.org, cl@linux.com, robert.richter@amd.com, laurent.pinchart@ideasonboard.com, mchehab@redhat.com, hverkuil@xs4all.nl, arnd@arndb.de, tj@kernel.org, axboe@kernel.dk, a.p.zijlstra@chello.nl, gregkh@linuxfoundation.org, paul.gortmaker@windriver.com
Archive-link:		Article, Thread

For those who are seeing this patch series for the first time,
the goal is to provide tools to reduce the kernel attack surface
at its interface point with userspace, system calls.

It uses Berkeley Packet Filter programs as the means for user tasks
to express their desired system call filtering policy.  BPF is robust,
has been exposed to user space for quite a while, and is performance
oriented.

The reason I am re-including a cover letter with this revision is to
explain the expanded scope somewhat.  I wanted to ensure that my
intentions for this patch series were fully expressed -- even if all the
pieces are not merged simultaneously (or at all :).  I'd like for
seccomp to be a useful tool to developers and not a last-ditch option.
To do so, I've added "behaviors" on top of the classic "allow" and "kill"
seccomp behaviors.  This series proposes trap, errno, and trace.  I
believe that these combinations meet the requirements of a wide set of
sandbox and software developers, both based on my experience and
discussions with others interested in this sort of functionality.

To summarize,
- TRAP allows in-task system call emulation (using the
  ucontext_t->uc_mcontext_t state) and the generation of core dumps on
  denied system call, rather than just immediate death.
- ERRNO allows systems calls to be dropped without the result of calling
  them be terminal for the process, such as with lxc. Instead a
  user-supplied return value is set.
- TRACE allows ptrace sandbox developers to make use of seccomp as the
  source for system calls where they would like to enforce policy
  against more than just the contents of the registers

Also, if you work on a project that has expressed interest in this patch
series in the past (qemu, openssh, vsftp, lxc, ...), please speak up!
It'd be good to hear that these approaches will meet your needs even if
the specific implementations I've managed thus far are imperfect.

I'm looking forward to the feedback, and I hope to reach a point where
this series seems viable to be pulled.

Thanks!
will

Will Drewry (8):
  sk_run_filter: add support for custom load_pointer functions
  seccomp: kill the seccomp_t typedef
  seccomp: add system call filtering using BPF
  seccomp: Add SECCOMP_RET_TRAP
  seccomp: add SECCOMP_RET_ERRNO
  ptrace,seccomp: Add PTRACE_SECCOMP support
  x86: Enable HAVE_ARCH_SECCOMP_FILTER
  Documentation: prctl/seccomp_filter

 Documentation/prctl/seccomp_filter.txt |  150 +++++++++++
 arch/Kconfig                           |   12 +
 arch/x86/Kconfig                       |    1 +
 arch/x86/kernel/ptrace.c               |    7 +-
 include/asm-generic/siginfo.h          |    3 +-
 include/linux/Kbuild                   |    1 +
 include/linux/filter.h                 |   44 +++-
 include/linux/ptrace.h                 |    1 +
 include/linux/sched.h                  |    2 +-
 include/linux/seccomp.h                |  141 ++++++++++-
 kernel/fork.c                          |    3 +
 kernel/ptrace.c                        |   10 +
 kernel/seccomp.c                       |  438 ++++++++++++++++++++++++++++++--
 kernel/sys.c                           |    2 +-
 net/core/filter.c                      |   92 ++++++-
 samples/Makefile                       |    2 +-
 samples/seccomp/Makefile               |   31 +++
 samples/seccomp/bpf-direct.c           |  138 ++++++++++
 samples/seccomp/bpf-fancy.c            |   92 +++++++
 samples/seccomp/bpf-helper.c           |   89 +++++++
 samples/seccomp/bpf-helper.h           |  234 +++++++++++++++++
 samples/seccomp/dropper.c              |   50 ++++
 22 files changed, 1498 insertions(+), 45 deletions(-)
 create mode 100644 Documentation/prctl/seccomp_filter.txt
 create mode 100644 samples/seccomp/Makefile
 create mode 100644 samples/seccomp/bpf-direct.c
 create mode 100644 samples/seccomp/bpf-fancy.c
 create mode 100644 samples/seccomp/bpf-helper.c
 create mode 100644 samples/seccomp/bpf-helper.h
 create mode 100644 samples/seccomp/dropper.c

-- 
1.7.5.4