LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Systemd gets seccomp filter support

Systemd gets seccomp filter support

Posted Jul 17, 2012 19:27 UTC (Tue) by mezcalero (subscriber, #45103)
In reply to: Systemd gets seccomp filter support by hmh
Parent article: Systemd gets seccomp filter support

Knowing the syscalls to whitelist is really easy, as strace shows you exactly that.

(Log in to post comments)

Systemd gets seccomp filter support

Posted Jul 17, 2012 19:32 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]

only if you are sure that you exercise every possible code path while running under strace. otherwise you run the risk of working most of the time, but failing sometimes.

Systemd gets seccomp filter support

Posted Jul 17, 2012 19:36 UTC (Tue) by felixfix (subscriber, #242) [Link]

What if you upgrade a package which introduces new syscalls, then reboot? Bingo, boot fails. That's pretty abrupt.

Systemd gets seccomp filter support

Posted Jul 17, 2012 19:43 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

Almost no service in a systemd install actually causes the boot to fail. Basically only file system mounts can do that, and very little else.

But in general this discussion is really pointless. If you write a syscall filter list, an SELinux policy, a capabilities list, or an apparmor policy: they all have in common that you need a good idea what a specific program is allowed to do and what not. So syscall filter lists have the same "problem" as any other security technology, there is nothing new in this.

Note however that of all these techs listed above writing a syscall filter list is probably by far the easiest though since most admins probably played around with the tool for that at least once in their life: strace.

Systemd gets seccomp filter support

Posted Jul 18, 2012 19:50 UTC (Wed) by lindi (subscriber, #53135) [Link]

strace is not ideal for passively collecting syscall usage statistics of the whole system. I personally use the following systemtap snippet: 
#!/usr/bin/stap
global syscall_usage;

probe syscall.* {
    syscall_usage[execname(), probefunc()]++;
}
probe timer.ms(1000) {
    printf("==== syscall usage statistics\n");
    foreach ([e, s] in syscall_usage-) {
        printf("%s %s %d\n", e, s, syscall_usage[e, s]);
    }
}
Example output from a debian wheezy xen instance: 
==== syscall usage statistics
sshd sys_rt_sigprocmask 1032
sshd sys_select 516
sshd sys_read 258
sshd sys_write 258
watchdog sys_write 98
stapio sys_read 43
stapio sys_ppoll 35
watchdog sys_open 14
watchdog sys_close 14
watchdog sys_lseek 14
watchdog sys_read 14
watchdog sys_nanosleep 14
ntpd sys_select 9
ntpd sys_ioctl 8
ntpd sys_clock_gettime 8
ntpd sys_rt_sigreturn 7
stapio sys_write 6
stapio sys_fcntl 4
ntpd sys_read 3
ntpd sys_close 2
init sys_newstat 2
stapio sys_pselect6 1
ntpd sys_socket 1
ntpd sys_open 1
ntpd sys_newfstat 1
ntpd sys_mmap_pgoff 1
ntpd sys_lseek 1
ntpd sys_munmap 1
init sys_time 1
init sys_newfstat 1
init sys_select 1

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds