|From:||Will Drewry <firstname.lastname@example.org>|
|Subject:||[PATCH v7 0/8] user-supplied seccomp filtering using BPF|
|Date:||Fri, 10 Feb 2012 22:39:03 -0600|
|Cc:||email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org|
For those who are seeing this patch series for the first time, the goal is to provide tools to reduce the kernel attack surface at its interface point with userspace, system calls. It uses Berkeley Packet Filter programs as the means for user tasks to express their desired system call filtering policy. BPF is robust, has been exposed to user space for quite a while, and is performance oriented. The reason I am re-including a cover letter with this revision is to explain the expanded scope somewhat. I wanted to ensure that my intentions for this patch series were fully expressed -- even if all the pieces are not merged simultaneously (or at all :). I'd like for seccomp to be a useful tool to developers and not a last-ditch option. To do so, I've added "behaviors" on top of the classic "allow" and "kill" seccomp behaviors. This series proposes trap, errno, and trace. I believe that these combinations meet the requirements of a wide set of sandbox and software developers, both based on my experience and discussions with others interested in this sort of functionality. To summarize, - TRAP allows in-task system call emulation (using the ucontext_t->uc_mcontext_t state) and the generation of core dumps on denied system call, rather than just immediate death. - ERRNO allows systems calls to be dropped without the result of calling them be terminal for the process, such as with lxc. Instead a user-supplied return value is set. - TRACE allows ptrace sandbox developers to make use of seccomp as the source for system calls where they would like to enforce policy against more than just the contents of the registers Also, if you work on a project that has expressed interest in this patch series in the past (qemu, openssh, vsftp, lxc, ...), please speak up! It'd be good to hear that these approaches will meet your needs even if the specific implementations I've managed thus far are imperfect. I'm looking forward to the feedback, and I hope to reach a point where this series seems viable to be pulled. Thanks! will Will Drewry (8): sk_run_filter: add support for custom load_pointer functions seccomp: kill the seccomp_t typedef seccomp: add system call filtering using BPF seccomp: Add SECCOMP_RET_TRAP seccomp: add SECCOMP_RET_ERRNO ptrace,seccomp: Add PTRACE_SECCOMP support x86: Enable HAVE_ARCH_SECCOMP_FILTER Documentation: prctl/seccomp_filter Documentation/prctl/seccomp_filter.txt | 150 +++++++++++ arch/Kconfig | 12 + arch/x86/Kconfig | 1 + arch/x86/kernel/ptrace.c | 7 +- include/asm-generic/siginfo.h | 3 +- include/linux/Kbuild | 1 + include/linux/filter.h | 44 +++- include/linux/ptrace.h | 1 + include/linux/sched.h | 2 +- include/linux/seccomp.h | 141 ++++++++++- kernel/fork.c | 3 + kernel/ptrace.c | 10 + kernel/seccomp.c | 438 ++++++++++++++++++++++++++++++-- kernel/sys.c | 2 +- net/core/filter.c | 92 ++++++- samples/Makefile | 2 +- samples/seccomp/Makefile | 31 +++ samples/seccomp/bpf-direct.c | 138 ++++++++++ samples/seccomp/bpf-fancy.c | 92 +++++++ samples/seccomp/bpf-helper.c | 89 +++++++ samples/seccomp/bpf-helper.h | 234 +++++++++++++++++ samples/seccomp/dropper.c | 50 ++++ 22 files changed, 1498 insertions(+), 45 deletions(-) create mode 100644 Documentation/prctl/seccomp_filter.txt create mode 100644 samples/seccomp/Makefile create mode 100644 samples/seccomp/bpf-direct.c create mode 100644 samples/seccomp/bpf-fancy.c create mode 100644 samples/seccomp/bpf-helper.c create mode 100644 samples/seccomp/bpf-helper.h create mode 100644 samples/seccomp/dropper.c -- 22.214.171.124
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds