[Oneiric][pull request] SECCOMP syscall filtering

Kees Cook kees at ubuntu.com
Thu Aug 4 06:53:27 UTC 2011


The following changes since commit 12bf0a5416335a051be56978f8f87a2eaec143b2:

  UBUNTU: Ubuntu-3.0.0-7.9 (2011-07-29 08:51:10 -0700)

are available in the git repository at:
  git://kernel.ubuntu.com/kees/ubuntu-oneiric.git master

Kees Cook (1):
      UBUNTU: [Config] enable SECCOMP_FILTER for x86 and arm

Will Drewry (5):
      UBUNTU: SAUCE: CHROMIUM: seccomp_filter: new mode with configurable syscall filters
      UBUNTU: SAUCE: CHROMIUM: seccomp_filter: add process state reporting
      UBUNTU: SAUCE: CHROMIUM: seccomp_filter: Document what seccomp_filter is and how it works.
      UBUNTU: SAUCE: CHROMIUM: x86: add HAVE_SECCOMP_FILTER and seccomp_execve
      UBUNTU: SAUCE: CHROMIUM: arm: select HAVE_SECCOMP_FILTER

 Documentation/prctl/seccomp_filter.txt    |  189 +++++
 arch/arm/Kconfig                          |    1 +
 arch/x86/Kconfig                          |    1 +
 arch/x86/include/asm/ia32_unistd.h        |    1 +
 arch/x86/include/asm/seccomp_64.h         |    2 +
 debian.master/config/config.common.ubuntu |    2 +
 fs/proc/base.c                            |   31 +
 include/linux/init_task.h                 |   12 +
 include/linux/prctl.h                     |    7 +
 include/linux/sched.h                     |    2 +-
 include/linux/seccomp.h                   |  119 ++++-
 kernel/Makefile                           |    1 +
 kernel/fork.c                             |    4 +
 kernel/seccomp.c                          |   38 +-
 kernel/seccomp_filter.c                   | 1058 +++++++++++++++++++++++++++++
 kernel/sys.c                              |   12 +
 security/Kconfig                          |   17 +
 17 files changed, 1484 insertions(+), 13 deletions(-)
 create mode 100644 Documentation/prctl/seccomp_filter.txt
 create mode 100644 kernel/seccomp_filter.c

This is the "seccomp syscall filtering" subsystem that is expected to
be used by Chromium, vsftpd, openssh, qemu, lxc, and others[1]. It has
been stalled getting into mainline, but is a welcome new programmatic
opt-in security hardening feature.

Note, I have not build tested this myself yet, as tangerine's host key has
changed and I'm travelling for a conference. I wanted to get eyes on it
ASAP since feature freeze is next week.

Thanks!

-Kees

[1] http://lwn.net/Articles/450291/

-- 
Kees Cook
Ubuntu Security Team




More information about the kernel-team mailing list