lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAGXu5jJp1etKiMTqDcBUxRKwRvp8KHkWR+SWN4-+XdHFxphQ3Q@mail.gmail.com>
Date:	Sun, 15 Apr 2012 09:20:07 -0700
From:	Kees Cook <keescook@...omium.org>
To:	David Windsor <dwindsor@...il.com>
Cc:	Paul Moore <paul@...l-moore.com>,
	libseccomp-discuss@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	Will Drewry <wad@...omium.org>
Subject: Re: ANN: libseccomp

Hi,

The seccomp mini-tutorial I wrote[1] could be extended to restart
system calls. That's the closest I've seen so far. Right now it just
needs to be run repeatedly until all the needed syscalls are found. :P

-Kees

[1] http://outflux.net/teach-seccomp/

On Sat, Apr 14, 2012 at 7:10 AM, David Windsor <dwindsor@...il.com> wrote:
> Out of curiosity, are there any current efforts towards creating a "learning
> mode" type of application for seccomp?  I.e. creating a profile for a
> particular application based upon which syscalls it makes during normal
> operation.  I realize that many people consider this a security
> anti-pattern, but it could be useful for the initial creation of a seccomp
> filter for a particular application, and other security subsystems already
> do this (ala AppArmor's learning/complain mode).  IIUC, no other kernel
> mechanisms would need to be created; ptrace could accomplish syscall
> monitoring.
>
> Thanks,
> David Windsor
>
> On Mon, Apr 9, 2012 at 2:58 PM, Paul Moore <paul@...l-moore.com> wrote:
>>
>> With the seccomp patches finally stabilizing a bit, it seems like now is a
>> good time to announce libseccomp: a library designed to make it easier to
>> create complex, architecture independent seccomp filters.
>>
>>  * http://sourceforge.net/projects/libseccomp/
>>  * git clone git://git.code.sf.net/p/libseccomp/libseccomp
>>
>> The library has only been in development for the past couple months, so it
>> may
>> be a little rough around the edges, and definitely could use more testing,
>> but
>> it is functional and has had some basic testing against the seccomp v17
>> patches.  The project currently lacks any online documentation or a
>> website
>> beyond the basic SF.net tools, but there are current man pages in the
>> source
>> repository and the code is reasonably well commented.
>>
>> For those of you who are interested in making use of the library, or
>> contributing to its development and testing, we do have a mailing list
>> setup
>> (see the To/CC line above) and you can subscribe at the link below; all
>> are
>> welcome.
>>
>>  * https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
>>
>> To demonstrate some of the basic libseccomp capabilities, I've included a
>> short example below.  The example is trivial, it opens /dev/zero and
>> writes to
>> /dev/null, but it shows how to use libseccomp to create a simple filter
>> and
>> load it into the kernel; filtering both on just the syscall and a syscall
>> with
>> specific arguments.
>>
>> > #include <errno.h>
>> > #include <stdlib.h>
>> > #include <stdio.h>
>> > #include <unistd.h>
>> >
>> > #include <seccomp.h>
>> >
>> > #define BUF_LEN               256
>> >
>> > int main(int argc, char *argv[])
>> > {
>> >       int rc;
>> >       FILE *read_stream, *write_stream;
>> >       unsigned char buf[BUF_LEN];
>> >       size_t op_len;
>> >
>> >       /* initialize the seccomp filter */
>> >       printf("scmp: initializing the seccomp filter ...");
>> >       rc = seccomp_init(SCMP_ACT_KILL);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       printf("ok\n");
>> >
>> >       /* do the setup */
>> >       printf("info: opening /dev/zero for reading ... ");
>> >       read_stream = fopen("/dev/zero", "r");
>> >       if (read_stream == NULL)
>> >               goto failure;
>> >       printf("ok\n");
>> >       printf("info: opening /dev/null for writing ... ");
>> >       write_stream = fopen("/dev/null", "w");
>> >       if (write_stream == NULL)
>> >               goto failure;
>> >       printf("ok\n");
>> >
>> >       /* configure the seccomp filter */
>> >       printf("scmp: configuring the seccomp_filter ... ");
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
>> >                             SCMP_A0(SCMP_CMP_EQ, fileno(read_stream)));
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>> >                             SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>> >                             SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO));
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
>> >                             SCMP_A0(SCMP_CMP_EQ, fileno(write_stream)));
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       printf("ok\n");
>> >
>> >       /* load the seccomp filter into the kernel */
>> >       printf("scmp: load the filter ... ");
>> >       rc = seccomp_load();
>> >       if (rc < 0)
>> >               goto failure_scmp;
>> >       seccomp_release();
>> >       printf("ok\n");
>> >
>> >       /* perform the i/o */
>> >       printf("info: attempting to read BUF_LEN bytes ... ");
>> >       op_len = fread(buf, BUF_LEN, 1, read_stream);
>> >       if (op_len != 1)
>> >               return errno;
>> >       printf("ok\n");
>> >
>> >       printf("info: attempting to write BUF_LEN bytes ... ");
>> >       op_len = fwrite(buf, BUF_LEN, 1, write_stream);
>> >       if (op_len != 1)
>> >               return errno;
>> >       printf("ok\n");
>> >
>> >       /* shutdown */
>> >       printf("info: closing file streams and exiting\n");
>> >       fclose(write_stream);
>> >       fclose(read_stream);
>> >       return 0;
>> >
>> > failure_scmp:
>> >       errno = -rc;
>> > failure:
>> >       /* oops ... */
>> >       printf("failed, errno = %u\n", errno);
>> >       return errno;
>> > }
>>
>> --
>> paul moore
>> www.paul-moore.com
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-security-module" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
>
> --
> PGP: 6141 5FFD 11AE 9844 153E  F268 7C98 7268 6B19 6CC9



-- 
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ