From Fedora Project Wiki
(Created page with " Task name - Syscall Filtering Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute. Owner name - Paul Moore ...")
 
(Blanked the page)
 
Line 1: Line 1:
    Task name - Syscall Filtering
 
    Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute.
 
    Owner name - Paul Moore
 
    Owner email - pmoore@redhat.com
 
    Product manager email - TBD
 
    QE contact email -
 
    Current Status
 
        Target date -
 
        Percentage of completion: 70%
 
        Development Status:
 
        QE status: ACK
 
            QE confidence:
 
            QE risks:
 
  
    Last updated: 2012-05-22
 
 
    Priority - 2
 
    Upstream target versions - TBD
 
    Target release - Fedora 18
 
    Test plan - TBD
 
    Unit tests - TBD
 
    Software Assurance
 
        Tools (coverity, etc.) - TBD
 
        Security Review and Guidelines - TBD
 
        Review on new and/or changes in Crypto - None expected
 
        Changes in privilege escalation - None expected
 
    Risk 1
 
        Risk description
 
 
    Improvements to the syscall filtering implementation in the Linux Kernel, also known as "seccomp", have been discussed as far back as 2009 with at least three distinct implementations being submitted upstream; none have been successfully merged into Linus' tree.  However, the most recent implementation, using BPF as the filter language, appears to have gained widespread acceptance; the patch's author, Will Drewry, is planning on submitting the patch for inclusion in version 3.5 of the Linux Kernel.
 
 
    See the following LWN article for a summary on the current state of seccomp (January 2012): https://lwn.net/Articles/475043
 
        Risk level - Low
 
        Risk resolution date - Linux Kernel 3.5 (tentative)
 
    Risk 2
 
        Risk description
 
 
    The most recent syscall filtering enhancements for the Linux Kernel, also known as "seccomp", are being developed by Will Drewry at Google, presumably for use by Chrome OS and Chrome/Chromium.  If we hope to merge seccomp into the mainline kernel we will need to work with Will so as to not further complicate matters.
 
 
    We have made contact with Will Drewry at the 2011 Linux Security Summit and we let him know that we are interested in helping however we can; he promised to keep us up to date with his efforts.
 
        Risk level - Low
 
        Risk resolution date - I have spoken with Will and he is aware that both RH and IBM are interested in the effort.
 
    Risk 3
 
        Risk description
 
 
    Development of a userspace library to abstract out the seccomp BPF interface and patches to QEMU to leverage this new library.  While development of the library, libseccomp, have been progressing nicely with the help of additional developers at RH and IBM, the fate of the QEMU patches is much less certain at this point.
 
        Risk level - Low
 
        Risk resolution date - The library will be released along side the kernel support, e.g. Linux 3.5-rc1.  An initial QEMU RFC patch has been proposed and appears to have been met with favorable comments.
 
    Scope
 
        Business justification - Reducing the kernel's exposure to userspace has the potential to mitigate existing kernel vulnerabilities which can be triggered by malicious userspace applications.
 
        Key use cases and deployment scenarios - Virtualization/KVM, network services, multi-user systems, etc.
 
        Benefits - Increased kernel robustness in the face of untrustworthy userspace applications.
 
        Customers/partners - IBM
 
        Hardware architectures - All, hardware independent
 
        Product variants - RHEL based products
 
        Key functional requirements - TBD
 
        How to test - Functional regression testing and negative security testing on the Linux Kernel.
 
        Constraints and limitations - TBD
 
    Documentation
 
 
The currently proposed kernel seccomp implementation utilizes a BPF based filter which allows the application to specify basic filtering rules beyond just the syscall.  The proposed patches include documentation added in the kernel source tree, e.g. Documentation/, as well as some simple example applications; there have also been articles on LWN.net and blog entried by the developers.
 
 
The associated userspace library, libseccomp, includes a number of man pages for its different interfaces as part of the repository.  There has also been a LWN.net article.
 
 
    Requirements - TBD
 
    Dependencies - None
 
    Reference links
 
        Upstream project - http://kernel.org
 
        Upstream project - http://libseccomp.sf.net (http://lwn.net/Articles/494252)
 
        Existing documentation - http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html
 
    Bugzilla links
 
        Tracker bug -
 
        QE test plan tracker bug - TBD
 
        Docs tracker bug - TBD
 

Latest revision as of 10:13, 4 June 2012