Make your (linux) software more secure with seccomp

Tue, 30 Jan 2024 02:00:18 -0800 

Seccomp filtering is a mechanism in the linux kernel that restricts the use of 
certain syscalls in your application. When your application is hacked or 
manipulated, and tries to call those disabled syscalls the kernel will kill 
your application.

For example, if you application needs to open files at the beginning, but then 
just appends to the files, you can drop the open/openat syscalls after you've 
opened the file.

We have a nice nim module that is very easy to use. 
<https://github.com/FedericoCeratto/nim-seccomp>
    
    
    import seccomp
    
    proc dropRights() =
      let ctx = seccomp_ctx()
      ctx.add_rule(Allow, "write")
      ctx.add_rule(Allow, "close")
      ctx.add_rule(Allow, "newfstatat")
      ctx.add_rule(Allow, "exit_group")
      # ctx.add_rule(Allow, "mmap") # needed for dynamic seq + strings etc
      ctx.load()
    
    # here open is still allowed
    let fh = open("/tmp/foo", fmWrite)
    
    dropRights() # here we drop all syscalls except the allowed ones
    echo "[x] Rights dropped"
    
    
    fh.write("write does still works")
    echo "[x] write works"
    
    # This will fail, since we've dropped the rights above.
    echo "[x] hacker tries to open another file:"
    let fh2 = open("/tmp/baa", fmWrite)
    
    
    
    Run

The output:
    
    
    Hint: /home/david/projects/nimPlayground/seccompt202401291758 [Exec]
    [x] Rights dropped
    [x] write works
    [x] hacker tries to open another file:
    Bad system call (core dumped)
    Error: execution of an external program failed: 
'/home/david/projects/nimPlayground/seccompt202401291758
    
    
    Run

When you need to know which syscalls is used you can use strace
    
    
    strace ./yourApplication
    
    
    Run
    
    
    [.....]
    newfstatat(3, "", {st_mode=S_IFREG|0664, st_size=0, ...}, AT_EMPTY_PATH) = 0
    write(1, "[x] write works\n", 16[x] write works
    )       = 16
    write(1, "[x] hacker tries to open another"..., 39[x] hacker tries to open 
another file:
    ) = 39
    openat(AT_FDCWD, "/tmp/baa", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 
257 # <---------- here we try to use "openat"
    +++ killed by SIGSYS (core dumped) +++    <--------- and here its killed
    Bad system call (core dumped)
    [ble: exit 159]
    
    
    Run

There is also a nice talk about this from a german hacker FeFe held at the CCC: 
<https://www.youtube.com/watch?v=TaE28fJVPTk>

Reply via email to