Out of curiosity, are there any current efforts towards creating a "learning mode" type of application for seccomp?  I.e. creating a profile for a particular application based upon which syscalls it makes during normal operation.  I realize that many people consider this a security anti-pattern, but it could be useful for the initial creation of a seccomp filter for a particular application, and other security subsystems already do this (ala AppArmor's learning/complain mode).  IIUC, no other kernel mechanisms would need to be created; ptrace could accomplish syscall monitoring. 

Thanks,
David Windsor

On Mon, Apr 9, 2012 at 2:58 PM, Paul Moore <paul@paul-moore.com> wrote:
With the seccomp patches finally stabilizing a bit, it seems like now is a
good time to announce libseccomp: a library designed to make it easier to
create complex, architecture independent seccomp filters.

 * http://sourceforge.net/projects/libseccomp/
 * git clone git://git.code.sf.net/p/libseccomp/libseccomp

The library has only been in development for the past couple months, so it may
be a little rough around the edges, and definitely could use more testing, but
it is functional and has had some basic testing against the seccomp v17
patches.  The project currently lacks any online documentation or a website
beyond the basic SF.net tools, but there are current man pages in the source
repository and the code is reasonably well commented.

For those of you who are interested in making use of the library, or
contributing to its development and testing, we do have a mailing list setup
(see the To/CC line above) and you can subscribe at the link below; all are
welcome.

 * https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss

To demonstrate some of the basic libseccomp capabilities, I've included a
short example below.  The example is trivial, it opens /dev/zero and writes to
/dev/null, but it shows how to use libseccomp to create a simple filter and
load it into the kernel; filtering both on just the syscall and a syscall with
specific arguments.

> #include <errno.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <unistd.h>
>
> #include <seccomp.h>
>
> #define BUF_LEN               256
>
> int main(int argc, char *argv[])
> {
>       int rc;
>       FILE *read_stream, *write_stream;
>       unsigned char buf[BUF_LEN];
>       size_t op_len;
>
>       /* initialize the seccomp filter */
>       printf("scmp: initializing the seccomp filter ...");
>       rc = seccomp_init(SCMP_ACT_KILL);
>       if (rc < 0)
>               goto failure_scmp;
>       printf("ok\n");
>
>       /* do the setup */
>       printf("info: opening /dev/zero for reading ... ");
>       read_stream = fopen("/dev/zero", "r");
>       if (read_stream == NULL)
>               goto failure;
>       printf("ok\n");
>       printf("info: opening /dev/null for writing ... ");
>       write_stream = fopen("/dev/null", "w");
>       if (write_stream == NULL)
>               goto failure;
>       printf("ok\n");
>
>       /* configure the seccomp filter */
>       printf("scmp: configuring the seccomp_filter ... ");
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
>                             SCMP_A0(SCMP_CMP_EQ, fileno(read_stream)));
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>                             SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>                             SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>                             SCMP_A0(SCMP_CMP_EQ, fileno(write_stream)));
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
>       if (rc < 0)
>               goto failure_scmp;
>       printf("ok\n");
>
>       /* load the seccomp filter into the kernel */
>       printf("scmp: load the filter ... ");
>       rc = seccomp_load();
>       if (rc < 0)
>               goto failure_scmp;
>       seccomp_release();
>       printf("ok\n");
>
>       /* perform the i/o */
>       printf("info: attempting to read BUF_LEN bytes ... ");
>       op_len = fread(buf, BUF_LEN, 1, read_stream);
>       if (op_len != 1)
>               return errno;
>       printf("ok\n");
>
>       printf("info: attempting to write BUF_LEN bytes ... ");
>       op_len = fwrite(buf, BUF_LEN, 1, write_stream);
>       if (op_len != 1)
>               return errno;
>       printf("ok\n");
>
>       /* shutdown */
>       printf("info: closing file streams and exiting\n");
>       fclose(write_stream);
>       fclose(read_stream);
>       return 0;
>
> failure_scmp:
>       errno = -rc;
> failure:
>       /* oops ... */
>       printf("failed, errno = %u\n", errno);
>       return errno;
> }

--
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



--
PGP: 6141 5FFD 11AE 9844 153E  F268 7C98 7268 6B19 6CC9