Seccomp (Secure Computing Mode)

From Bauman National Library
This page was last modified on 24 December 2015, at 10:39.

Seccomp (short for secure computing mode) is a computer security facility that provides an application sandboxing mechanism in the Linux kernel; it was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.[1] seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

Seccomp mode is enabled via the system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17[2]) via the system call.[3] seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl().[4] In some kernel versions, seccomp disables the RDTSC x86 instruction.[5]

seccomp-bpf

seccomp-bpf is an extension to seccomp[6] that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux.[7]

Uses

  • seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs.
  • Arcangeli's CPUShare was the only known user of this feature.[8] Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone.[9] However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.[10][11]
  • As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.[12]
  • As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.[13]
  • Vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.[14]
  • OpenSSH has supported seccomp-bpf since version 6.0.[15]
  • Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.[16]
  • LXD, which is a "hypervisor" for containers[17][18]
  • Firefox and FirefoxOS use seccomp-bpf to sandbox the child processes and certain plugins.[19][20]
  • Cjdns uses seccomp-bpf as one of its sandbox mechanisms, filtering the system calls it performs on a Linux system, and strictly limiting its access to the outside world.[21]

References

  1. PATCH seccomp: secure computing support
  2. Linux kernel 3.17, Section 11. Security
  3. Seccomp: add "seccomp" syscall |work=kernel/git/torvalds/linux.git - Linux kernel source tree
  4. title =PATCH 1 of 2 move seccomp from /proc to a prctl
  5. Time-stamp counter disabling oddities in the Linux kernel
  6. Yet another new approach to seccomp
  7. A safer playground for your Linux and Chrome OS renderers
  8. Re: stable PATCH 2/2 x86-64: seccomp: fix 32/64 syscall hole
  9. Re: PATCH 2/2 x86-64: seccomp: fix 32/64 syscall hole
  10. Re: PATCH 2/2 x86-64: seccomp: fix 32/64 syscall hole
  11. Re: PATCH 2/2 x86-64: seccomp: fix 32/64 syscall hole
  12. Chrome 20 on Linux and Flash sandboxing
  13. Introducing Chrome's next-generation Linux sandbox
  14. vsftpd-3.0.0 and seccomp filter sandboxing is here!
  15. Openssh 6.0 release notes
  16. MBOX
  17. LXD an "hypervisor" for containers (based on liblxc)
  18. Where We're Going With LXD
  19. Firefox Seccomp sandbox
  20. Firefox Seccomp sandbox
  21. Added SECCOMP sandboxing and new admin API call to check if permissions are properly dropped

External links