|
|
| Line 1: |
Line 1: |
| Task name - Syscall Filtering
| |
| Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute.
| |
| Owner name - Paul Moore
| |
| Owner email - pmoore@redhat.com
| |
| Product manager email - TBD
| |
| QE contact email -
| |
| Current Status
| |
| Target date -
| |
| Percentage of completion: 70%
| |
| Development Status:
| |
| QE status: ACK
| |
| QE confidence:
| |
| QE risks:
| |
|
| |
|
| Last updated: 2012-05-22
| |
|
| |
| Priority - 2
| |
| Upstream target versions - TBD
| |
| Target release - Fedora 18
| |
| Test plan - TBD
| |
| Unit tests - TBD
| |
| Software Assurance
| |
| Tools (coverity, etc.) - TBD
| |
| Security Review and Guidelines - TBD
| |
| Review on new and/or changes in Crypto - None expected
| |
| Changes in privilege escalation - None expected
| |
| Risk 1
| |
| Risk description
| |
|
| |
| Improvements to the syscall filtering implementation in the Linux Kernel, also known as "seccomp", have been discussed as far back as 2009 with at least three distinct implementations being submitted upstream; none have been successfully merged into Linus' tree. However, the most recent implementation, using BPF as the filter language, appears to have gained widespread acceptance; the patch's author, Will Drewry, is planning on submitting the patch for inclusion in version 3.5 of the Linux Kernel.
| |
|
| |
| See the following LWN article for a summary on the current state of seccomp (January 2012): https://lwn.net/Articles/475043
| |
| Risk level - Low
| |
| Risk resolution date - Linux Kernel 3.5 (tentative)
| |
| Risk 2
| |
| Risk description
| |
|
| |
| The most recent syscall filtering enhancements for the Linux Kernel, also known as "seccomp", are being developed by Will Drewry at Google, presumably for use by Chrome OS and Chrome/Chromium. If we hope to merge seccomp into the mainline kernel we will need to work with Will so as to not further complicate matters.
| |
|
| |
| We have made contact with Will Drewry at the 2011 Linux Security Summit and we let him know that we are interested in helping however we can; he promised to keep us up to date with his efforts.
| |
| Risk level - Low
| |
| Risk resolution date - I have spoken with Will and he is aware that both RH and IBM are interested in the effort.
| |
| Risk 3
| |
| Risk description
| |
|
| |
| Development of a userspace library to abstract out the seccomp BPF interface and patches to QEMU to leverage this new library. While development of the library, libseccomp, have been progressing nicely with the help of additional developers at RH and IBM, the fate of the QEMU patches is much less certain at this point.
| |
| Risk level - Low
| |
| Risk resolution date - The library will be released along side the kernel support, e.g. Linux 3.5-rc1. An initial QEMU RFC patch has been proposed and appears to have been met with favorable comments.
| |
| Scope
| |
| Business justification - Reducing the kernel's exposure to userspace has the potential to mitigate existing kernel vulnerabilities which can be triggered by malicious userspace applications.
| |
| Key use cases and deployment scenarios - Virtualization/KVM, network services, multi-user systems, etc.
| |
| Benefits - Increased kernel robustness in the face of untrustworthy userspace applications.
| |
| Customers/partners - IBM
| |
| Hardware architectures - All, hardware independent
| |
| Product variants - RHEL based products
| |
| Key functional requirements - TBD
| |
| How to test - Functional regression testing and negative security testing on the Linux Kernel.
| |
| Constraints and limitations - TBD
| |
| Documentation
| |
|
| |
| The currently proposed kernel seccomp implementation utilizes a BPF based filter which allows the application to specify basic filtering rules beyond just the syscall. The proposed patches include documentation added in the kernel source tree, e.g. Documentation/, as well as some simple example applications; there have also been articles on LWN.net and blog entried by the developers.
| |
|
| |
| The associated userspace library, libseccomp, includes a number of man pages for its different interfaces as part of the repository. There has also been a LWN.net article.
| |
|
| |
| Requirements - TBD
| |
| Dependencies - None
| |
| Reference links
| |
| Upstream project - http://kernel.org
| |
| Upstream project - http://libseccomp.sf.net (http://lwn.net/Articles/494252)
| |
| Existing documentation - http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html
| |
| Bugzilla links
| |
| Tracker bug -
| |
| QE test plan tracker bug - TBD
| |
| Docs tracker bug - TBD
| |
