Features/Syscall Filters

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(How To Test)
m (Dependencies)
Line 60: Line 60:
 
== Dependencies ==
 
== Dependencies ==
 
* Kernel updated to 3.5
 
* Kernel updated to 3.5
* libseccomp packaged
+
* libseccomp included in Fedora
* QEMU updated to 1.2
+
* QEMU upstream includes support for libseccomp
  
Any other apps that want to use this functionality need the the first two bits.
+
Applications other than QEMU wishing to use libseccomp only require the kernel and libseccomp support items listed above.
  
 
== Contingency Plan ==
 
== Contingency Plan ==

Revision as of 21:11, 15 June 2012


Contents

Syscall Filters

Summary

Syscall filtering is a security mechanism that allows applications to define which syscalls they should be allowed to execute.

Owner

  • Name: Cole Robinson
  • Email: crobinso@redhat.com
  • Name: Paul Moore
  • Email: pmoore@redhat.com

Current status

  • Targeted release: Fedora 18
  • Last updated: June 6 2012
  • Percentage of completion: 40%

Detailed Description

Benefit to Fedora

Improved security for applications that use syscall filtering.

Scope

  • Get seccomp into upstream kernel: DONE, present in 3.5-rc1
  • Package libseccomp for Fedora: IN PROGRESS (waiting on review), BZ 830992
  • Get the QEMU/libseccomp patch accepted upstream: IN PROGRESS (v2 patch posted on June 13th by IBM)
  • Update Fedora QEMU package to build against libseccomp: NOT DONE

How To Test

Kernel

  • The traditional kernel regression tests should be preformed to ensure that the kernel's seccomp functionality does not impact the expected functionality when not enabled by the application at runtime.

Libseccomp

  • The libseccomp sources contain a series of automated tests which can be used to test the library's internal seccomp filter generation. It is important to note that these automated tests are tested via a seccomp BPF simulator and not the kernel.
  • A simple negative test could be developed to validate that libseccomp and the kernel perform as expected when a syscall is blocked.

QEMU

  • The traditional QEMU regression tests should be performed to ensure that QEMU's normal functionality is not impacted by the libseccomp patches.

User Experience

Ideally this feature shouldn't be noticeable to the user, the syscall filtering should allow normal execution of the application. Intention is that only people trying to exploit security holes notice that the syscall they are trying to use is blocked :)

Dependencies

  • Kernel updated to 3.5
  • libseccomp included in Fedora
  • QEMU upstream includes support for libseccomp

Applications other than QEMU wishing to use libseccomp only require the kernel and libseccomp support items listed above.

Contingency Plan

Since this is brand new functionality, if it doesn't make it in time for F18, nothing has changed. We just drop this feature page.

Documentation

Release Notes

Comments and Discussion