16190e64fSSebastien Boeuf# Seccomp filtering 26190e64fSSebastien Boeuf 36190e64fSSebastien BoeufAs a means to harden Cloud Hypervisor's security, the project leverages seccomp 46190e64fSSebastien Boeuffiltering. 56190e64fSSebastien Boeuf 66190e64fSSebastien Boeuf## What is seccomp filtering 76190e64fSSebastien Boeuf 86190e64fSSebastien BoeufA seccomp filter is a way for a process to tell the kernel which system calls 96190e64fSSebastien Boeufare authorized. 106190e64fSSebastien BoeufIn case this process calls into a prohibited system call, the kernel will kill 116190e64fSSebastien Boeufthe process right away. 126190e64fSSebastien Boeuf 136190e64fSSebastien Boeuf## How does it apply to Cloud Hypervisor 146190e64fSSebastien Boeuf 156190e64fSSebastien BoeufCloud Hypervisor is a multi threaded application. It spawns dedicated threads 166190e64fSSebastien Boeuffor virtual CPUs, virtio devices and HTTP server, along with the main thread 176190e64fSSebastien Boeufrepresenting the VMM. 186190e64fSSebastien Boeuf 196190e64fSSebastien BoeufEach of these threads has a limited scope of what it is expected to perform, 206190e64fSSebastien Boeufwhich is why different filters are applied to each of them. 216190e64fSSebastien Boeuf 226190e64fSSebastien BoeufBy default, Cloud Hypervisor enables seccomp filtering as the project believes 236190e64fSSebastien Boeufthat security should not be an option. 246190e64fSSebastien Boeuf 256190e64fSSebastien BoeufFor development and debugging purposes, one might want to disable this feature 266190e64fSSebastien Boeufor log the faulty system call. 276190e64fSSebastien Boeuf 286190e64fSSebastien Boeuf### Disabling seccomp filters 296190e64fSSebastien Boeuf 306190e64fSSebastien BoeufAppend `--seccomp false` to Cloud Hypervisor's command line to prevent seccomp 316190e64fSSebastien Boeuffiltering from being applied. 326190e64fSSebastien Boeuf 336190e64fSSebastien Boeuf### Logging prohibited system calls 346190e64fSSebastien Boeuf 356190e64fSSebastien BoeufIn the context of debug, one alternative to disabling seccomp filtering is to 366190e64fSSebastien Boeuflog faulty system calls that would have caused the application to be killed by 376190e64fSSebastien Boeufthe kernel. 386190e64fSSebastien Boeuf 396190e64fSSebastien BoeufAppend `--seccomp log` to Cloud Hypervisor's command line to enable faulty 406190e64fSSebastien Boeufsystem calls to be logged. 416190e64fSSebastien Boeuf 426190e64fSSebastien BoeufThe kernel running on the host machine must have the `audit` parameter enabled. 436190e64fSSebastien BoeufIf this is not the case, update kernel boot options by appending `audit=1`. 446190e64fSSebastien Boeuf 456190e64fSSebastien BoeufUnauthorized system calls will be logged to the journal similarly to the 466190e64fSSebastien Boeuffollowing example 476190e64fSSebastien Boeuf 486190e64fSSebastien Boeuf``` 496190e64fSSebastien Boeuftype=SECCOMP msg=audit(1423263412.694:7878): auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:cloud_hypervisor:s0-s0:c0.c1023 pid=1193 comm="cloud-hypervisor" exe="/usr/bin/cloud-hypervisor" sig=0 arch=c000003e syscall=47 compat=0 ip=0x7f4f63982604 code=0x50000 506190e64fSSebastien Boeuf``` 516190e64fSSebastien Boeuf 526190e64fSSebastien BoeufProvided `ausyscall` has been installed on the host, the system call can be 536190e64fSSebastien Boeufidentified with 546190e64fSSebastien Boeuf 556190e64fSSebastien Boeuf``` 566190e64fSSebastien Boeuf$ ausyscall 47 576190e64fSSebastien Boeufrecvmsg 586190e64fSSebastien Boeuf``` 596190e64fSSebastien Boeuf 606190e64fSSebastien Boeuf### Further debug with `strace` 616190e64fSSebastien Boeuf 626190e64fSSebastien BoeufOne more way of debugging seccomp related issues is to use the `strace` tool as 636190e64fSSebastien Boeufit will log every system call issued by the process. It is important to use 646190e64fSSebastien Boeuf`-f` option in order to trace each and every thread belonging to the process. 656190e64fSSebastien Boeuf 666190e64fSSebastien Boeuf``` 67*2c94773bSRob Bradfordstrace --decode-pids=comm -f ./cloud-hypervisor ... 686190e64fSSebastien Boeuf``` 69