Seccomp介绍
Secommp (SECure COMPuting)是Linux 内核中的安全模块,主要是用来限制一些进程可以执行的系统调用, Linux内核2.6.12版本中引入的,最初支持(read,write,_exit,sigreturn)这几种系统调用,当执行其他系统调用时候,会收到SIGKILL退出。
Secommp 在使用过程中包含两种模式:seccomp strict Mode
和 seccomp filter mode (seccomp-BPF)
。
- Strict模式使用下面方式进行设置:
prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT)
- Filter模式使用下面方式:
static const struct sock_fprog prog = {
.len = ARRAY_SIZE(filter),
.filter = (struct sock_filter *) filter,
};
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
Android中的Seccomp BPF
android 中,从8.0开始所有应用都设为使用 seccomp-bpf 过滤器运行,该过滤器可限制允许应用使用的系统调用,从而增强应用/内核边界的安全性。下面是Android中使用的测试代码.
/*
* Check verbose decoding of prctl PR_SET_SECCOMP SECCOMP_MODE_FILTER.
*
* Copyright (c) 2015-2016 Dmitry V. Levin <ldv@altlinux.org>
* Copyright (c) 2016-2017 The strace developers.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "tests.h"
#include <stddef.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <asm/unistd.h>
#ifdef HAVE_PRCTL
# include <sys/prctl.h>
#endif
#ifdef HAVE_LINUX_SECCOMP_H
# include <linux/seccomp.h>
#endif
#include <linux/filter.h>
#if defined HAVE_PRCTL \
&& defined PR_SET_NO_NEW_PRIVS \
&& defined PR_SET_SECCOMP \
&& defined SECCOMP_MODE_FILTER \
&& defined SECCOMP_RET_ERRNO \
&& defined BPF_JUMP \
&& defined BPF_STMT
#define SOCK_FILTER_ALLOW_SYSCALL(nr) \
BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, __NR_ ## nr, 0, 1), \
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW)
#define SOCK_FILTER_DENY_SYSCALL(nr, err) \
BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, __NR_ ## nr, 0, 1), \
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO|(SECCOMP_RET_DATA & (err)))
#define SOCK_FILTER_KILL_PROCESS \
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL)
#define PRINT_ALLOW_SYSCALL(nr) \
printf("BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, %#x, 0, 0x1), " \
"BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), ", \
__NR_ ## nr)
#define PRINT_DENY_SYSCALL(nr, err) \
printf("BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, %#x, 0, 0x1), " \
"BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO|%#x), ", \
__NR_ ## nr, err)
static const struct sock_filter filter[] = {
/* load syscall number */
BPF_STMT(BPF_LD|BPF_W|BPF_ABS, offsetof(struct seccomp_data, nr)),
/* allow syscalls */
SOCK_FILTER_ALLOW_SYSCALL(close),
SOCK_FILTER_ALLOW_SYSCALL(exit),
SOCK_FILTER_ALLOW_SYSCALL(exit_group),
/* deny syscalls */
SOCK_FILTER_DENY_SYSCALL(sync, EBUSY),
SOCK_FILTER_DENY_SYSCALL(setsid, EPERM),
/* kill process */
SOCK_FILTER_KILL_PROCESS
};
static const struct sock_fprog prog = {
.len = ARRAY_SIZE(filter),
.filter = (struct sock_filter *) filter,
};
int
main(void)
{
int fds[2];
puts("prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0");
printf("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=%u, filter=[",
prog.len);
printf("BPF_STMT(BPF_LD|BPF_W|BPF_ABS, %#x), ",
(unsigned) offsetof(struct seccomp_data, nr));
PRINT_ALLOW_SYSCALL(close);
PRINT_ALLOW_SYSCALL(exit);
PRINT_ALLOW_SYSCALL(exit_group);
PRINT_DENY_SYSCALL(sync, EBUSY),
PRINT_DENY_SYSCALL(setsid, EPERM),
printf("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD)");
puts("]}) = 0");
puts("+++ exited with 0 +++");
fflush(stdout);
close(0);
close(1);
if (pipe(fds))
perror_msg_and_fail("pipe");
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
perror_msg_and_skip("PR_SET_NO_NEW_PRIVS");
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
perror_msg_and_skip("PR_SET_SECCOMP");
if (close(0) || close(1))
_exit(77);
_exit(0);
}
#else
SKIP_MAIN_UNDEFINED("HAVE_PRCTL && PR_SET_NO_NEW_PRIVS && PR_SET_SECCOMP"
" && SECCOMP_MODE_FILTER && SECCOMP_RET_ERRNO"
" && BPF_JUMP && BPF_STMT")
#endif
参考资料:
https://www.kernel.org/doc/html/latest/translations/zh_CN/userspace-api/seccomp_filter.html
https://source.android.google.cn/docs/core/architecture/kernel/config?hl=zh-cn