From Fedora Project Wiki

Revision as of 10:08, 4 June 2012 by Lnovich (talk | contribs) (Created page with " Task name - Syscall Filtering Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute. Owner name - Paul Moore ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

   Task name - Syscall Filtering
   Description - Syscall filtering allows applications to define which syscalls it should be allowed to execute.
   Owner name - Paul Moore
   Owner email - pmoore@redhat.com
   Product manager email - TBD
   QE contact email - 
   Current Status
       Target date - 
       Percentage of completion: 70%
       Development Status: 
       QE status: ACK
           QE confidence: 
           QE risks: 
   Last updated: 2012-05-22
   Priority - 2
   Upstream target versions - TBD
   Target release - Fedora 18
   Test plan - TBD
   Unit tests - TBD
   Software Assurance
       Tools (coverity, etc.) - TBD
       Security Review and Guidelines - TBD
       Review on new and/or changes in Crypto - None expected
       Changes in privilege escalation - None expected
   Risk 1
       Risk description
   Improvements to the syscall filtering implementation in the Linux Kernel, also known as "seccomp", have been discussed as far back as 2009 with at least three distinct implementations being submitted upstream; none have been successfully merged into Linus' tree.  However, the most recent implementation, using BPF as the filter language, appears to have gained widespread acceptance; the patch's author, Will Drewry, is planning on submitting the patch for inclusion in version 3.5 of the Linux Kernel.
   See the following LWN article for a summary on the current state of seccomp (January 2012): https://lwn.net/Articles/475043
       Risk level - Low
       Risk resolution date - Linux Kernel 3.5 (tentative)
   Risk 2
       Risk description
   The most recent syscall filtering enhancements for the Linux Kernel, also known as "seccomp", are being developed by Will Drewry at Google, presumably for use by Chrome OS and Chrome/Chromium.  If we hope to merge seccomp into the mainline kernel we will need to work with Will so as to not further complicate matters.
   We have made contact with Will Drewry at the 2011 Linux Security Summit and we let him know that we are interested in helping however we can; he promised to keep us up to date with his efforts.
       Risk level - Low
       Risk resolution date - I have spoken with Will and he is aware that both RH and IBM are interested in the effort.
   Risk 3
       Risk description
   Development of a userspace library to abstract out the seccomp BPF interface and patches to QEMU to leverage this new library.  While development of the library, libseccomp, have been progressing nicely with the help of additional developers at RH and IBM, the fate of the QEMU patches is much less certain at this point.
       Risk level - Low
       Risk resolution date - The library will be released along side the kernel support, e.g. Linux 3.5-rc1.  An initial QEMU RFC patch has been proposed and appears to have been met with favorable comments.
   Scope
       Business justification - Reducing the kernel's exposure to userspace has the potential to mitigate existing kernel vulnerabilities which can be triggered by malicious userspace applications.
       Key use cases and deployment scenarios - Virtualization/KVM, network services, multi-user systems, etc.
       Benefits - Increased kernel robustness in the face of untrustworthy userspace applications.
       Customers/partners - IBM
       Hardware architectures - All, hardware independent
       Product variants - RHEL based products
       Key functional requirements - TBD
       How to test - Functional regression testing and negative security testing on the Linux Kernel.
       Constraints and limitations - TBD
   Documentation

The currently proposed kernel seccomp implementation utilizes a BPF based filter which allows the application to specify basic filtering rules beyond just the syscall. The proposed patches include documentation added in the kernel source tree, e.g. Documentation/, as well as some simple example applications; there have also been articles on LWN.net and blog entried by the developers.

The associated userspace library, libseccomp, includes a number of man pages for its different interfaces as part of the repository. There has also been a LWN.net article.

   Requirements - TBD
   Dependencies - None
   Reference links
       Upstream project - http://kernel.org
       Upstream project - http://libseccomp.sf.net (http://lwn.net/Articles/494252)
       Existing documentation - http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html
   Bugzilla links
       Tracker bug -
       QE test plan tracker bug - TBD
       Docs tracker bug - TBD