I guess the easiest one to use is strace ( apt-get install strace, yum install strace). Linux has several tools for listing syscalls. When everything looks fine, I integrate the filter into a security profile suitable for Firejail. As new syscalls are discovered during testing, the filter is updated. I start by extracting a list of syscalls the program uses, build the filter and run the program in Firejail. Throughout the article I will use Transmission BitTorrent client as an example.
In this article I’ll show you how to build a whitelist seccomp-bpf filter and how to attach the filter to a user program using Firejail sandbox. Seccomp filters are expressed in Berkeley Packet Filter (BPF) format. It allows the user to attach a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel. It’s a simple, yet effective sandboxing tool introduced in Linux kernel 3.5. Seccomp-bpf stands for secure computing mode. All security features are implemented directly in Linux kernel and available on any Linux computer. There are no socket connections open, no daemons running in the background. The sandbox is lightweight, the overhead is low. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs.
0 kommentar(er)
