📖

Linux Seccomp

Formula

Group

ConceptOS

Keywords

Last edited time

May 21, 2024 2:57 PM

Slug

Status

Review

Title

Code inside page

Github

👉 Overview
👀 What ?
🧐 Why ?
⛏️ How ?
⏳ When ?
⚙️ Technical Explanations
🖇️ References

👉 Overview

👀 What ?

Seccomp, or Secure Computing Mode, is a Linux kernel feature that provides a means of limiting the system calls a process can make. It is a crucial component of sandboxing applications for increased security, and it helps in reducing the attack surface of the Linux kernel.

🧐 Why ?

Seccomp is important because it provides a mechanism for system administrators and developers to increase the security of a system. By limiting the system calls a process can make, it reduces the potential avenues of attack, making it harder for an attacker to exploit vulnerabilities in a program or in the kernel itself. For readers who are responsible for maintaining the security of Linux systems, understanding and effectively implementing Seccomp can be a significant safeguard against potential cyber threats.

⛏️ How ?

To use Seccomp, one must first identify the minimal set of system calls required by an application, and then create a Seccomp filter that only allows these calls and denies all others. This filter is then applied to the application using the prctl() or seccomp() system call. Because this process requires a deep understanding of the application's operation and the system calls it makes, it may be challenging for beginners. However, tools such as 'strace' can be used to trace the system calls made by an application, making it easier to create an appropriate Seccomp filter.

⏳ When ?

The use of Seccomp became more widespread with the release of Linux kernel 3.5 in July 2012, which introduced 'Seccomp-BPF', a much more flexible and practical version of Seccomp that allows for fine-grained control over system call filtering.

⚙️ Technical Explanations

Seccomp, an abbreviation for Secure Computing Mode, is a security feature in the Linux kernel. Its primary function is to limit the system calls (syscalls) a process can make. Syscalls are requests made by a process to the kernel for performing tasks that the process doesn't have the permissions to perform by itself. Restricting these calls significantly reduces the attack surface and is a vital part of sandboxing applications to enhance security.

To understand Seccomp, you need to know how syscalls work. Each syscall in Linux has a unique number, and when a process makes a syscall, this number, along with its arguments, is stored in CPU registers. Seccomp operates by scrutinizing this syscall number just before the syscall is made.

In Seccomp, a 'Berkeley Packet Filter' (BPF) program decides to allow or deny the syscall. If the BPF program returns 'allow', the syscall proceeds as usual. If it returns 'deny', the process is terminated immediately. This operation method has minimal performance overhead—since the BPF program runs in the kernel, there's no need for a context switch, which could be time-consuming.

Implementing Seccomp involves identifying the minimal set of syscalls required for an application to function and creating a Seccomp filter that permits only these syscalls while denying all others. This filter is then applied to the application using the prctl() or seccomp() syscall. Creating this filter requires a profound understanding of the application's operation and the syscalls it makes, which might be challenging for beginners. However, tools like 'strace' can trace the syscalls an application makes, simplifying the creation of a suitable Seccomp filter.

Seccomp became more prevalent with the release of the Linux kernel 3.5 in July 2012, which introduced 'Seccomp-BPF'. This version offers more flexibility and practicality, enabling fine-grained control over syscall filtering.

Let's take a concrete example to understand the use of Seccomp. We'll create a simple C program and apply a Seccomp filter to it.

First, let's create a simple C program that makes a write() system call:

#include <unistd.h>

int main() {
    write(1, "Hello, World!\\n", 14);
    return 0;
}

Let's compile and run this program:

gcc -o hello hello.c
./hello

The output will be: Hello, World!

Now, let's apply a Seccomp filter to this program to allow only the write() system call. We'll use the libseccomp library for this:

#include <seccomp.h>
#include <unistd.h>

int main() {
    scmp_filter_ctx ctx;

    /* Initialize the Seccomp filter */
    ctx = seccomp_init(SCMP_ACT_KILL);

    /* Allow write() system call */
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);

    /* Load the filter into the kernel */
    seccomp_load(ctx);

    /* Now, the program can only make the write() system call */
    write(1, "Hello, World!\\n", 14);

    seccomp_release(ctx);
    return 0;
}

In this code:

seccomp_init(SCMP_ACT_KILL) initializes a new Seccomp filter that kills the process for any system call not explicitly allowed.
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); adds a rule to the filter that allows the write() system call.
seccomp_load(ctx); loads the filter into the kernel.

Now, if the program tries to make any system call other than write(), the process will be killed by the kernel. This is how Seccomp can be used to limit the system calls a process can make, enhancing the security of the system.