seccomp

seccomp
Original author(s)	Andrea Arcangeli
Initial release	March 8, 2005 (2005-03-08)
Development status	mainlined
Written in	C
Operating system	Linux
Type	Sandboxing
License	GNU General Public License
Website	code.google.com/archive/p/seccompsandbox/wikis/overview.wiki

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.^[1] seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the prctl(2) system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17^[2]) via the seccomp(2) system call.^[3] seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl().^[4] In some kernel versions, seccomp disables the RDTSC x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.^[5]

seccomp-bpf is an extension to seccomp^[6] that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux.^[7] (In this regard seccomp-bpf achieves similar functionality to the older systrace—which seems to be no longer supported for Linux).

Software using seccomp or seccomp-bpf

One of the most prominent software solutions using seccomp is Docker. Docker is an open source project, primarily backed by Docker Inc., that enables software to run inside of isolated containers. When a Docker container is created, using docker run or docker create sub-commands, a seccomp profile can be associated with the container using the --security-opt parameter.
seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs.
Arcangeli's CPUShare was the only known user of this feature.^[8] Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone.^[9] However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.^[10]^[11]
Firejail is an open source Linux sandbox program that utilizes Linux Namespaces, Seccomp, and other kernel-level security features to sandbox Linux and Wine applications.^[12]
As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.^[13]
As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.^[14]
Snap specify the shape of their application sandbox using 'interfaces' which snapd translates to seccomp, AppArmor and other security constructs ^[15]
vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.^[16]
OpenSSH has supported seccomp-bpf since version 6.0.^[17]
Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.^[18]
LXD, an Ubuntu "hypervisor" for containers^[19]^[20]
Firefox and Firefox OS, which use seccomp-bpf^[21]^[22]
Cjdns uses seccomp-bpf as one of its sandbox mechanisms, filtering the system calls it performs on a Linux system, and strictly limiting its access to the outside world.^[23]
Tor supports seccomp since 0.2.5.1-alpha^[24]
Lepton, a JPEG compression tool developed by Dropbox uses seccomp^[25]
Kafel is a configuration language, which converts readable policies into seccompb-bpf bytecode^[26]
Subgraph OS uses seccomp-bpf^[27]^[28]
Flatpak uses seccomp for process isolation ^[29]
minijail uses seccomp for process isolation^[30]

References

↑ "[PATCH] seccomp: secure computing support". Linux kernel history. Kernel.org git repositories. 2005-03-08. Retrieved 2013-08-02.
↑ "Linux kernel 3.17, Section 11. Security". kernelnewbies.org. 2013-10-05. Retrieved 2015-03-31.
↑ "seccomp: add "seccomp" syscall". kernel/git/torvalds/linux.git - Linux kernel source tree. kernel.org. 2014-06-25. Retrieved 2014-08-22.
↑ Arcangeli, Andrea (2007-06-14). "[PATCH 1 of 2] move seccomp from /proc to a prctl". Retrieved 2013-08-02.
↑ Tinnes, Julien (2009-05-28). "Time-stamp counter disabling oddities in the Linux kernel". cr0 blog. Retrieved 2013-08-02.
↑ Corbet, Jonathan (2012-01-11). "Yet another new approach to seccomp". lwn. Retrieved 2013-08-02.
↑ Tinnes, Julien (2012-11-19). "A safer playground for your Linux and Chrome OS renderers". The Chromium Blog. Retrieved 2013-08-02.
↑ van de Ven, Arjan (2009-02-28). "Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
↑ Torvalds, Linus (2009-02-28). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
↑ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Retrieved 2013-08-02.
↑ Gutschke, Markus (2009-05-06). "Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole". Linux Kernel Mailing List. Retrieved 2013-08-02.
↑ "Firejail". Firejail. Retrieved 2016-11-26.
↑ Evans, Chris (2012-07-04). "Chrome 20 on Linux and Flash sandboxing". Retrieved 2013-08-02.
↑ Tinnes, Julien (2012-09-06). "Introducing Chrome's next-generation Linux sandbox". cr0 blog. Retrieved 2013-08-02.
↑ "Snap security policy". Retrieved 2017-02-03.
↑ Evans, Chris (2012-04-09). "vsftpd-3.0.0 and seccomp filter sandboxing is here!". Retrieved 2013-08-02.
↑ "Openssh 6.0 release notes". Retrieved 2013-10-14.
↑ "MBOX". Retrieved 2014-05-20.
↑ "LXD an "hypervisor" for containers (based on liblxc)". Retrieved 2014-11-08.
↑ "Where We're Going With LXD". Retrieved 2014-11-08.
↑ Destuynder, Guillaume (2012-09-13). "Firefox Seccomp sandbox". Mozilla Bugzilla. Retrieved 2015-01-13.
↑ Destuynder, Guillaume (2012-09-13). "Firefox Seccomp sandbox". Mozilla Wiki. Retrieved 2015-01-13.
↑ DeLisle, Caleb James (2014-09-24). "Added SECCOMP sandboxing and new admin API call to check if permissions are properly dropped". Github. Retrieved 2015-09-24.
↑ "Tor ChangeLog".
↑ "Lepton image compression: saving 22% losslessly from images at 15MB/s". Dropbox Tech Blog. Retrieved 2016-07-15.
↑ "Kafel: A language and library for specifying syscall filtering policies".
↑ "Subgraph OS". Subgraph. Retrieved 2016-12-18.
↑ "LoganCIJ16: Future of OS". YouTube. Retrieved 2016-12-18.
↑ "The flatpak security model – part 1: The basics". Retrieved 2017-01-21.
↑ "Minijail [LWN.net]". lwn.net. Retrieved 2017-04-11.

External links

Official website
Google's Chromium sandbox, LWN.net, August 2009, by Jake Edge
seccomp-nurse, a sandboxing framework based on seccomp
Documentation/prctl/seccomp_filter.txt, part of the Linux kernel documentation
Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs

Linux kernel

Organization

Kernel	Linux Foundation Linux Mark Institute Linus's Law Tanenbaum–Torvalds debate Tux SCO issues Linaro GNU GPL v2 menuconfig Supported computer architectures Kernel names Criticism
Support	Developers The Linux Programming Interface kernel.org LKML Linux conferences Users Linux User Group (LUG)

Technical

Debugging

Startup

ABIs

APIs

Of
userspace

FS, daemons	devfs devpts debugfs procfs sysfs systemd udev Kmscon
Wrapper libraries	C standard library glibc uClibc Bionic libhybris dietlibc EGLIBC klibc musl Newlib libcgroup libdrm libalsa libevdev

Of
kernel

System Call Interface	POSIX ioctl select open read close sync … Linux-only futex epoll splice dnotify inotify readahead …
In-kernel	ALSA Crypto API DRM kernfs New API Video4Linux

Components

Variants

Virtualization	Hypervisor KVM Xen OS-level virtualization Linux-VServer Lguest LXC OpenVZ Other L4Linux ELinOS User-mode Linux MkLinux coLinux

Adoption

Range of use	Desktop Embedded Gaming Thin client: LTSP Thinstation Server: LAMP LYME-LYCE Devices
Adopters	List of Linux adopters GENIVI Alliance Proprietary software for Linux

People

Category
Commons
Book
Wikiversity
Portal

Linux
Linux kernel	History Kernel Linus's Law Linux-libre Linux startup process Linux kernel oops Tux more…
Controversies	Criticism of Linux Criticism of desktop Linux GNU/Linux naming controversy Tanenbaum–Torvalds debate SCO and Linux
Distributions	General comparison Distributions list Netbook-specific comparison Distributions that run from RAM Lightweight Proprietary software for Linux Package manager Package format List of software package managers
Organizations	Linux Foundation Linux Mark Institute Linux User Group (LUG) Linux Documentation Project LinuxChix Linux Counter
Adoption	Desktop Embedded Gaming Linux range of use List of Linux adopters
Media	Free Software Magazine Linux.com Linux Format Open Source For You Linux Gazette Linux Journal Linux Magazine LinuxUser Ubuntu User Linux Outlaws Linux Voice LugRadio LWN.net Phoronix Revolution OS The Code
People	Alan Cox Allison Randal Andrew Morton Benjamin Mako Hill Bradley Kuhn Bruce Perens Daniel Robbins David S. Miller Greg Kroah-Hartman Ian Murdock Jon "maddog" Hall Jono Bacon Karen Sandler Linus Torvalds Eric S. Raymond Mark Shuttleworth Pamela Jones Patrick Volkerding Richard Stallman Theodore Ts'o William John Sullivan
Linux Linux kernel features Portal:Linux WikiProject Linux

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.