1# Seccomp filtering 2 3As a means to harden Cloud Hypervisor's security, the project leverages seccomp 4filtering. 5 6## What is seccomp filtering 7 8A seccomp filter is a way for a process to tell the kernel which system calls 9are authorized. 10In case this process calls into a prohibited system call, the kernel will kill 11the process right away. 12 13## How does it apply to Cloud Hypervisor 14 15Cloud Hypervisor is a multi threaded application. It spawns dedicated threads 16for virtual CPUs, virtio devices and HTTP server, along with the main thread 17representing the VMM. 18 19Each of these threads has a limited scope of what it is expected to perform, 20which is why different filters are applied to each of them. 21 22By default, Cloud Hypervisor enables seccomp filtering as the project believes 23that security should not be an option. 24 25For development and debugging purposes, one might want to disable this feature 26or log the faulty system call. 27 28### Disabling seccomp filters 29 30Append `--seccomp false` to Cloud Hypervisor's command line to prevent seccomp 31filtering from being applied. 32 33### Logging prohibited system calls 34 35In the context of debug, one alternative to disabling seccomp filtering is to 36log faulty system calls that would have caused the application to be killed by 37the kernel. 38 39Append `--seccomp log` to Cloud Hypervisor's command line to enable faulty 40system calls to be logged. 41 42The kernel running on the host machine must have the `audit` parameter enabled. 43If this is not the case, update kernel boot options by appending `audit=1`. 44 45Unauthorized system calls will be logged to the journal similarly to the 46following example 47 48``` 49type=SECCOMP msg=audit(1423263412.694:7878): auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:cloud_hypervisor:s0-s0:c0.c1023 pid=1193 comm="cloud-hypervisor" exe="/usr/bin/cloud-hypervisor" sig=0 arch=c000003e syscall=47 compat=0 ip=0x7f4f63982604 code=0x50000 50``` 51 52Provided `ausyscall` has been installed on the host, the system call can be 53identified with 54 55``` 56$ ausyscall 47 57recvmsg 58``` 59 60### Further debug with `strace` 61 62One more way of debugging seccomp related issues is to use the `strace` tool as 63it will log every system call issued by the process. It is important to use 64`-f` option in order to trace each and every thread belonging to the process. 65 66``` 67strace --decode-pids=comm -f ./cloud-hypervisor ... 68``` 69