Task name - Syscall Filtering Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute. Owner name - Paul Moore Owner email - email@example.com Product manager email - TBD QE contact email - Current Status Target date - Percentage of completion: 70% Development Status: QE status: ACK QE confidence: QE risks:
Last updated: 2012-05-22
Priority - 2 Upstream target versions - TBD Target release - Fedora 18 Test plan - TBD Unit tests - TBD Software Assurance Tools (coverity, etc.) - TBD Security Review and Guidelines - TBD Review on new and/or changes in Crypto - None expected Changes in privilege escalation - None expected Risk 1 Risk description
Improvements to the syscall filtering implementation in the Linux Kernel, also known as "seccomp", have been discussed as far back as 2009 with at least three distinct implementations being submitted upstream; none have been successfully merged into Linus' tree. However, the most recent implementation, using BPF as the filter language, appears to have gained widespread acceptance; the patch's author, Will Drewry, is planning on submitting the patch for inclusion in version 3.5 of the Linux Kernel.
See the following LWN article for a summary on the current state of seccomp (January 2012): https://lwn.net/Articles/475043 Risk level - Low Risk resolution date - Linux Kernel 3.5 (tentative) Risk 2 Risk description
The most recent syscall filtering enhancements for the Linux Kernel, also known as "seccomp", are being developed by Will Drewry at Google, presumably for use by Chrome OS and Chrome/Chromium. If we hope to merge seccomp into the mainline kernel we will need to work with Will so as to not further complicate matters.
We have made contact with Will Drewry at the 2011 Linux Security Summit and we let him know that we are interested in helping however we can; he promised to keep us up to date with his efforts. Risk level - Low Risk resolution date - I have spoken with Will and he is aware that both RH and IBM are interested in the effort. Risk 3 Risk description
Development of a userspace library to abstract out the seccomp BPF interface and patches to QEMU to leverage this new library. While development of the library, libseccomp, have been progressing nicely with the help of additional developers at RH and IBM, the fate of the QEMU patches is much less certain at this point. Risk level - Low Risk resolution date - The library will be released along side the kernel support, e.g. Linux 3.5-rc1. An initial QEMU RFC patch has been proposed and appears to have been met with favorable comments. Scope Business justification - Reducing the kernel's exposure to userspace has the potential to mitigate existing kernel vulnerabilities which can be triggered by malicious userspace applications. Key use cases and deployment scenarios - Virtualization/KVM, network services, multi-user systems, etc. Benefits - Increased kernel robustness in the face of untrustworthy userspace applications. Customers/partners - IBM Hardware architectures - All, hardware independent Product variants - RHEL based products Key functional requirements - TBD How to test - Functional regression testing and negative security testing on the Linux Kernel. Constraints and limitations - TBD Documentation
The currently proposed kernel seccomp implementation utilizes a BPF based filter which allows the application to specify basic filtering rules beyond just the syscall. The proposed patches include documentation added in the kernel source tree, e.g. Documentation/, as well as some simple example applications; there have also been articles on LWN.net and blog entried by the developers.
The associated userspace library, libseccomp, includes a number of man pages for its different interfaces as part of the repository. There has also been a LWN.net article.
Requirements - TBD Dependencies - None Reference links Upstream project - http://kernel.org Upstream project - http://libseccomp.sf.net (http://lwn.net/Articles/494252) Existing documentation - http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html Bugzilla links Tracker bug - QE test plan tracker bug - TBD Docs tracker bug - TBD