New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block process execution with seccomp on linux/amd64 #13753

Closed
wants to merge 11 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@rmuir
Contributor

rmuir commented Sep 23, 2015

On newer linux kernels, we can use prctl/seccomp to lock down the process and prevent the worst of the worst, like execution. This is used by e.g. chrome/firefox sandbox and so on.

This is just another level of security, java's security manager is not perfect, and there are often bugs in java itself, so it would good to have another level of defense.

See https://en.wikipedia.org/wiki/Seccomp for more information

This PR blocks execve(), fork(), and vfork(), returning EACCES instead, so even with security manager disabled, process execution is still prevented.

            java.io.IOException: Cannot run program "ls": error=13, Permission denied
                    at __randomizedtesting.SeedInfo.seed([65E6C4BED11899E:FC6E1CA6AA2DB634]:0)
                    at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)
                    at java.lang.Runtime.exec(Runtime.java:620)
                    ...
                  Caused by: java.io.IOException: error=13, Permission denied
                    at java.lang.UNIXProcess.forkAndExec(Native Method)
                    at java.lang.UNIXProcess.<init>(UNIXProcess.java:248)
                    at java.lang.ProcessImpl.start(ProcessImpl.java:134)
                    at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)

@rmuir rmuir added the WIP label Sep 23, 2015

@s1monw

This comment has been minimized.

Show comment
Hide comment
@s1monw

s1monw Sep 23, 2015

Contributor

nice!

Contributor

s1monw commented Sep 23, 2015

nice!

@dakrone

This comment has been minimized.

Show comment
Hide comment
@dakrone

dakrone Sep 23, 2015

Member

Tested this locally and it looks to be working, very neat!

Member

dakrone commented Sep 23, 2015

Tested this locally and it looks to be working, very neat!

@rmuir rmuir added review and removed WIP labels Sep 24, 2015

@rmuir

This comment has been minimized.

Show comment
Hide comment
@rmuir

rmuir Sep 24, 2015

Contributor

I fixed all the TODOs and gripes I had with this and added documentation, checks here. I think its ready...

Contributor

rmuir commented Sep 24, 2015

I fixed all the TODOs and gripes I had with this and added documentation, checks here. I think its ready...

@jaymode

This comment has been minimized.

Show comment
Hide comment
@jaymode

jaymode Sep 24, 2015

Member

left a minor comment about a log message, other than that LGTM! This is really nice.

Member

jaymode commented Sep 24, 2015

left a minor comment about a log message, other than that LGTM! This is really nice.

@rmuir

This comment has been minimized.

Show comment
Hide comment
@rmuir

rmuir Sep 24, 2015

Contributor

Thanks for looking, I added that debug, good idea.

Contributor

rmuir commented Sep 24, 2015

Thanks for looking, I added that debug, good idea.

@s1monw

This comment has been minimized.

Show comment
Hide comment
@s1monw

s1monw Sep 24, 2015

Contributor

LGTM FWIW I don't know that linux feature in particular

Contributor

s1monw commented Sep 24, 2015

LGTM FWIW I don't know that linux feature in particular

@rmuir rmuir closed this in 8b88a69 Sep 24, 2015

@rmuir rmuir added v5.0.0-alpha1 v2.1.0 and removed review labels Sep 24, 2015

rmuir added a commit that referenced this pull request Sep 25, 2015

Block process execution with seccomp on linux/amd64
Block execve(), fork(), and vfork() system calls, returning EACCES instead,
on kernels that support seccomp-bpf: either via seccomp() or falling back
to prctl().

Only linux/amd64 is supported. This feature can be disabled (in case
of problems) with bootstrap.seccomp=false.

Closes #13753

Squashed commit of the following:

commit 92cee05
Author: Robert Muir <rmuir@apache.org>
Date:   Thu Sep 24 10:12:51 2015 -0400

    Add a note about why we don't parse uname() or anything

commit b427971
Author: Robert Muir <rmuir@apache.org>
Date:   Thu Sep 24 09:44:31 2015 -0400

    style only: we already pull errno into a local, use it for catch-all case

commit ddf9330
Author: Robert Muir <rmuir@apache.org>
Date:   Thu Sep 24 08:36:01 2015 -0400

    add TODO

commit f29d1b7
Author: Robert Muir <rmuir@apache.org>
Date:   Thu Sep 24 08:33:28 2015 -0400

    Add full stacktrace at debug level always

commit a3c991f
Author: Robert Muir <rmuir@apache.org>
Date:   Thu Sep 24 00:08:19 2015 -0400

    Add missing check just in case.

commit 628ed9c
Author: Robert Muir <rmuir@apache.org>
Date:   Wed Sep 23 22:47:16 2015 -0400

    Add public getter, for stats or whatever if they need to know this

commit 3e2265b
Author: Robert Muir <rmuir@apache.org>
Date:   Wed Sep 23 22:43:06 2015 -0400

    Enable use of seccomp(2) on Linux 3.17+ which provides more protection.
    Add nice errors.
    Add all kinds of checks and paranoia.
    Add documentation.
    Add boolean switch.

commit 0e421f7
Author: Robert Muir <rmuir@apache.org>
Date:   Wed Sep 23 21:36:32 2015 -0400

    Add defensive checks and nice error messages

commit 6231c3b
Author: Robert Muir <rmuir@apache.org>
Date:   Wed Sep 23 20:52:40 2015 -0400

    clean up JNA and BPF. block fork and vfork too.

commit bb31e8a
Author: Robert Muir <rmuir@apache.org>
Date:   Wed Sep 23 19:00:32 2015 -0400

    order is LE already for the JNA buffer, but be explicit about it

commit 10456d2
Author: Robert Muir <rmuir@apache.org>
Date:   Wed Sep 23 17:47:07 2015 -0400

    block process execution with seccomp on linux/amd64

@clintongormley clintongormley changed the title from block process execution with seccomp on linux/amd64 to Block process execution with seccomp on linux/amd64 Nov 20, 2015

@samcday

This comment has been minimized.

Show comment
Hide comment
@samcday

samcday Jun 4, 2016

Hey so it turns out this secure computing thing completely breaks -XX:OnOutOfMemoryError, since the JVM attempts to execsthe supplied command(s).

Should I raise a separate issue for that?

samcday commented Jun 4, 2016

Hey so it turns out this secure computing thing completely breaks -XX:OnOutOfMemoryError, since the JVM attempts to execsthe supplied command(s).

Should I raise a separate issue for that?

@rmuir

This comment has been minimized.

Show comment
Hide comment
@rmuir

rmuir Jun 4, 2016

Contributor

More like, launching processes is bullshit for a daemon process to do. Under any circumstances. Manage this stuff with startup scripts, etc. If you don't agree with me, open an issue if you like. But this is an important piece, to ensure remote execution is something that doesn't happen again.

Contributor

rmuir commented Jun 4, 2016

More like, launching processes is bullshit for a daemon process to do. Under any circumstances. Manage this stuff with startup scripts, etc. If you don't agree with me, open an issue if you like. But this is an important piece, to ensure remote execution is something that doesn't happen again.

@jasontedor

This comment has been minimized.

Show comment
Hide comment
@jasontedor

jasontedor Jun 4, 2016

Member

Hey so it turns out this secure computing thing completely breaks -XX:OnOutOfMemoryError, since the JVM attempts to execsthe supplied command(s).

For others that might not click through to #18736, if all you want to do is kill on OutOfMemoryError, just use ExitOnOutOfMemoryError available starting in 8u92.

Member

jasontedor commented Jun 4, 2016

Hey so it turns out this secure computing thing completely breaks -XX:OnOutOfMemoryError, since the JVM attempts to execsthe supplied command(s).

For others that might not click through to #18736, if all you want to do is kill on OutOfMemoryError, just use ExitOnOutOfMemoryError available starting in 8u92.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment