Security in Linux Kernel - Part 3

 

In this short post we will explore a Linux system call facilitating secure computing. In earlier parts of this series we saw how LSMs protect the kernel. However, LSMs occupy a much deeper position in the call hierarchy and do not offer protection at process level. Additional mechanism is required to provide protection at process level.

Need for a system call

In Linux, applications programs use a number of system calls, in fact a large number of system calls are available to applications programmer. These processes using system calls expose a large area of the kernel to malicious attacks. Linux offers a mechanism to limit this capability using seccomp system call, thereby reducing the attack surface. seccomp is enabled using prctl() system call with appropriate operation mode.

seccomp Modes

The seccomp system call works in two modes - strict mode (SECCOMP_SET_MODE_STRICT) and filter mode (SECCOMP_SET_MODE_FILTER). When seccomp is set to first mode, i.e. strict mode, process has access to only a few system calls. The process can make use of read(), write(), exit() and sigreturn() calls only. Furthermore, these calls are allowed only on already open file descriptors. This means the process cannot open a new file. If such attempt is made, kernel terminates the process immediately.

The second mode - filter mode - sets seccomp into filtering mode. It filters out system call based on the specified policy. A filter can be specified to filter out incoming system calls and allow only a specific calls for a specific process, based on different parameters. This filter is presented as a Berkeley Packet Filter program, hence this mode is also known as BPF mode.

As plenty of code examples demonstrating the use of both modes of seccomp are available, they are not duplicated here. Instead, the reference section provides a few links to such examples. Even the Linux man page for seccomp provides good code samples making it easy to understand.

seccomp Usage

The seccomp system call forms the backbone of security in container based computing frameworks. Docker and kubernetes utilize the seccomp features to restrict what a process can do and what it should not do (else deny the access).

References

Comments

Popular posts from this blog

Security in Linux Kernel - Part 2

Trusted Platform Module