Secure Computing
- Designed to sandbox programs that deal with untrusted input
- Installing a seccomp filter is irreversible. It's a declaration that subsequently executed code is not to be trusted.
- Berkeley Packet Filter (BPF)
- small set of instructions run in a virtual machine in the kernel
- originally designed for network packet filtering in the kernel to avoid passing every network packet across the kernel/userland boundary
- Maximum of 4096 instructions.
- A directed acyclic graph. No loops. Only forward branching.
- Devs realized BPF can be used to filter syscalls too
- All filters are executed in reverse order
- child inherits filter of parent if
fork()/clone()
is permitted - filters are also preserved across
execve()
if permitted
After all fileres ran, the value with the highest priority is returned to the kernel.
SECCOMP_RET_KILL
(highest priority)SECCOMP_RET_TRAP
SECCOMP_RET_ERRNO
SECCOMP_RET_TRACE
SECCOMP_RET_ALLOW
(lowest priority)
Other resources
- Teach seccomp how to discover which system calls don’t pass filtering of an application
- Seccomp sandboxes and memcached example. part1, part2
- BPT compiler (bpfc) part of http://netsniff-ng.org/