-
Notifications
You must be signed in to change notification settings - Fork 57
Oz Seccomp
Seccomp is a kernel facility that limits exposed system calls. Because system calls expose kernel attack surface as a means to privilege escalation, seccomp is an essential sandboxing control.
OZ supports per-application seccomp whitelist or blacklist policies. Whitelist policies are default deny, meaning that only those system calls explicitly permitted will be accessible. Blacklist policies are default allow, with only specific system calls restricted.
Whitelist policies are appropriate when an application's profile of required system calls is well understood enough such that a precise policy can be created. Blacklist policies are appropriate when a whitelist policy does not yet exist or cannot be created for whatever reason. Oz includes a generic blacklist policy that will work "out of the box" with a large number of applications. This policy restricts system calls least likely to be used by most sandboxed applications (e.g. ptrace..).
Oz seccomp can run in either enforcing or Oz-Seccomp-Non-Enforcement-Mode, and this is defined an application's Oz policy document. In enforcing mode, Oz seccomp instructs the kernel to terminate processes that violate seccomp policies (i.e. by attempting to run a restricted system call). In non-enforcing mode, system calls are permitted even if restricted, and seccomp filter matches are logged. Non-enforcing mode is meant for policy development and debugging.
Oz general seccomp configuration is defined in each Oz application policy document. From evince.json:
[..]
, "seccomp": {
"mode":"whitelist"
, "enforce": true
, "seccomp_whitelist":"/var/lib/oz/cells.d/evince-whitelist.seccomp"
, "seccomp_blacklist":"/var/lib/oz/cells.d/evince-blacklist.seccomp"
}
}
[..]
Mode: whitelist or blacklist
Enforce: true or false
Blacklist/Whitelist: These are the locations of the seccomp policy documents. Oz seccomp policy document format is described in the next section.
Note that for now, the Oz policy as well as the seccomp policies must be whitelisted and accessible in the sandbox filesystem.
Oz permits system calls to be generally restricted/permitted in blacklist/whitelist policies, or permitted/restricted with specific arguments. The example below depicts a section of a Seccomp whitelist policy where several system calls are permitted with any argument pattern except for socket(2), which is permitted only if argument 0 is 0x1 (AF_UNIX). From evince-whitelist.json:
[..]
read: 1
readlink: 1
recvfrom: 1
recvmsg: 1
rename: 1
rmdir: 1
socket: arg0 == 0x1
splice: 1
stat: 1
uname: 1
unlink: 1
wait4: 1
[..]
Blacklist policies follow the same format except that the listed system calls describe those to be restricted rather than permitted.