From Fedora Project Wiki
(Created page with " Task name - Syscall Filtering Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute. Owner name - Paul Moore ...")
 
(Blanked the page)
 
Line 1: Line 1:
    Task name - Syscall Filtering
    Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute.
    Owner name - Paul Moore
    Owner email - pmoore@redhat.com
    Product manager email - TBD
    QE contact email -
    Current Status
        Target date -
        Percentage of completion: 70%
        Development Status:
        QE status: ACK
            QE confidence:
            QE risks:


    Last updated: 2012-05-22
    Priority - 2
    Upstream target versions - TBD
    Target release - Fedora 18
    Test plan - TBD
    Unit tests - TBD
    Software Assurance
        Tools (coverity, etc.) - TBD
        Security Review and Guidelines - TBD
        Review on new and/or changes in Crypto - None expected
        Changes in privilege escalation - None expected
    Risk 1
        Risk description
    Improvements to the syscall filtering implementation in the Linux Kernel, also known as "seccomp", have been discussed as far back as 2009 with at least three distinct implementations being submitted upstream; none have been successfully merged into Linus' tree.  However, the most recent implementation, using BPF as the filter language, appears to have gained widespread acceptance; the patch's author, Will Drewry, is planning on submitting the patch for inclusion in version 3.5 of the Linux Kernel.
    See the following LWN article for a summary on the current state of seccomp (January 2012): https://lwn.net/Articles/475043
        Risk level - Low
        Risk resolution date - Linux Kernel 3.5 (tentative)
    Risk 2
        Risk description
    The most recent syscall filtering enhancements for the Linux Kernel, also known as "seccomp", are being developed by Will Drewry at Google, presumably for use by Chrome OS and Chrome/Chromium.  If we hope to merge seccomp into the mainline kernel we will need to work with Will so as to not further complicate matters.
    We have made contact with Will Drewry at the 2011 Linux Security Summit and we let him know that we are interested in helping however we can; he promised to keep us up to date with his efforts.
        Risk level - Low
        Risk resolution date - I have spoken with Will and he is aware that both RH and IBM are interested in the effort.
    Risk 3
        Risk description
    Development of a userspace library to abstract out the seccomp BPF interface and patches to QEMU to leverage this new library.  While development of the library, libseccomp, have been progressing nicely with the help of additional developers at RH and IBM, the fate of the QEMU patches is much less certain at this point.
        Risk level - Low
        Risk resolution date - The library will be released along side the kernel support, e.g. Linux 3.5-rc1.  An initial QEMU RFC patch has been proposed and appears to have been met with favorable comments.
    Scope
        Business justification - Reducing the kernel's exposure to userspace has the potential to mitigate existing kernel vulnerabilities which can be triggered by malicious userspace applications.
        Key use cases and deployment scenarios - Virtualization/KVM, network services, multi-user systems, etc.
        Benefits - Increased kernel robustness in the face of untrustworthy userspace applications.
        Customers/partners - IBM
        Hardware architectures - All, hardware independent
        Product variants - RHEL based products
        Key functional requirements - TBD
        How to test - Functional regression testing and negative security testing on the Linux Kernel.
        Constraints and limitations - TBD
    Documentation
The currently proposed kernel seccomp implementation utilizes a BPF based filter which allows the application to specify basic filtering rules beyond just the syscall.  The proposed patches include documentation added in the kernel source tree, e.g. Documentation/, as well as some simple example applications; there have also been articles on LWN.net and blog entried by the developers.
The associated userspace library, libseccomp, includes a number of man pages for its different interfaces as part of the repository.  There has also been a LWN.net article.
    Requirements - TBD
    Dependencies - None
    Reference links
        Upstream project - http://kernel.org
        Upstream project - http://libseccomp.sf.net (http://lwn.net/Articles/494252)
        Existing documentation - http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html
    Bugzilla links
        Tracker bug -
        QE test plan tracker bug - TBD
        Docs tracker bug - TBD

Latest revision as of 10:13, 4 June 2012