-
Notifications
You must be signed in to change notification settings - Fork 57
Oz Seccomp Non Enforcement Mode
(Alpha - work in progress and still buggy..)
It is possible to run OZ sandboxed applications with Seccomp filter policies in an "audit-only" mode where the policies are not enforced by killing applications that violate them. Instead, filter-matched system calls are permitted to run and the event is reported to the oz-daemon console.
This feature is intended for use during the development of seccomp blacklist/whitelist policies or performing other system-level debugging of applications sandboxed in Oz. In general users should not disable enforcement as it removes an important sandboxing control.
Running Oz applications in non-enforcement mode can be accomplished by setting the "enforce" boolean flag to false in the appropriate sub-section of the OZ policy file. For example:
[..]
]
, "seccomp": {
"mode":"whitelist"
, "enforce": false
, "seccomp_whitelist":"/var/lib/oz/cells.d/evince-whitelist.seccomp"
, "seccomp_blacklist":"/var/lib/oz/cells.d/evince-blacklist.seccomp"
}
}
[..]
When an application is configured to run without seccomp enforcement, the OZ oz-seccomp-tracer utility will monitor sandboxed processes for seccomp filter matches. oz-seccomp-tracer relies on ptrace support for seccomp to catch and record these events.
Audit events are (for now) written to the oz-daemon output and look like this:
[..]
2015/10/29 18:59:35 [iceweasel] (stderr) I ==============================================
2015/10/29 18:59:35 [iceweasel] (stderr) seccomp hit on sandbox pid 49 (/usr/bin/iceweasel.unsafe ) syscall futex (202):
2015/10/29 18:59:35 [iceweasel] (stderr)
2015/10/29 18:59:35 [iceweasel] (stderr) futex(0x2C1F383617C, FUTEX_WAKE_OP_PRIVATE, 1, 0x1, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1})
2015/10/29 18:59:35 [iceweasel] (stderr) I ==============================================
2015/10/29 18:59:35 [iceweasel] (stderr)
2015/10/29 19:00:31 [icedove] (stderr) I ==============================================
2015/10/29 19:00:31 [icedove] (stderr) seccomp hit on sandbox pid 63 (/usr/bin/icedove.unsafe ) syscall openat (257):
2015/10/29 19:00:31 [icedove] (stderr)
2015/10/29 19:00:31 [icedove] (stderr) openat(AT_FDCWD, "/usr/lib/icedove/distribution/bundles", O_RDONLY|O_CLOEXEC|O_DIRECTORY)
2015/10/29 19:00:31 [icedove] (stderr) I ==============================================
2015/10/29 19:00:31 [icedove] (stderr)
2015/10/30 17:12:19 [icedove] (stderr) I ==============================================
2015/10/30 17:12:19 [icedove] (stderr) seccomp hit on sandbox pid 69 (/usr/bin/icedove.unsafe ) syscall connect (42):
2015/10/30 17:12:19 [icedove] (stderr)
2015/10/30 17:12:19 [icedove] (stderr) connect(31, {sin_family=AF_INET, sin_port=9050, sin_addr=127.0.0.1}, 16)
2015/10/30 17:12:19 [icedove] (stderr) I ==============================================
2015/10/30 17:12:20 [icedove] (stderr)
2015/10/30 17:12:21 [icedove] (stderr) I ==============================================
2015/10/30 17:12:21 [icedove] (stderr) seccomp hit on sandbox pid 70 (/usr/bin/icedove.unsafe ) syscall madvise (28):
2015/10/30 17:12:21 [icedove] (stderr)
2015/10/30 17:12:21 [icedove] (stderr) 4 madvise(0x2649C88C000, 4096, MADV_DONTNEED)
2015/10/30 17:12:21 [icedove] (stderr) I ==============================================
2015/10/30 17:12:21 [icedove] (stderr)
[..]
In the future we will develop tools to further aid debugging and policy development.