[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Seccomp

It's in seccomp wheezy-backports. I don't know about seccomp. Is it enough to install the package and all applications making use of it will benefit from it?

Yes thats how it works.

A proposal which warrant its own thread -
If we want to add filters for other software that doesn’t make use of it by default for further hardeining (like what you are doing with Apparmor profiles) see:

https://wiki.mozilla.org/Security/Sandbox/Seccomp

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/seccomp_filter.txt

This looks more difficult than AppArmor on first view. As far I understand, this requires editing C code (example: https://lists.gnu.org/archive/html/qemu-stable/2013-08/msg00079.html). To write seccomp profiles for existing software, it would require a fork of the software and/or sending patches to upstream.

That is true, so lets just leave this as an open proposal for anyone who is able to help in that way and maybe ask for help in the rolling forum news section.

On the other hand, using it for software that supports it already is as easy as having the package installed and enabled, so maybe we can have it in Whonix 9?

It’s only available in wheezy-backports. I would have to do the same as with python-stem. Each time there is an update of that package, I would have to upload the updated version to Whonix. It’s all possible, but delays Whonix 9 release and all adds up to maintenance effort. I guess it’s best to wait for the next version of Debian, when this package can be installed and updated from Debain stable, maintained by the Debian developers.

How much gain would we get from that effort? What package are using seccomp?

Also another question beforehand, the package description (https://packages.debian.org/wheezy-backports/seccomp) says
"Provides helper tools for interacting with libseccomp."
Doesn’t really sound that package need to be installed to make use of seccomp?

How to enable seccomp? Apparently not by installing that package. http://superuser.com/questions/666791/chromium-enable-seccomp-bpf-sandbox-on-debian-7 says it requires a more recent kernel.

What we should do in meanwhile is document this security improvement in advanced security guide (https://www.whonix.org/wiki/Advanced_Security_Guide).

Considering the larger effort to have this now as things are the way they are with Debian, I say we just wait until its included by default. Lets keep it on the backburner but not forget about it.

How much gain would we get from that effort? What package are using seccomp?

https://trac.torproject.org/projects/tor/ticket/5791

All components of the TBB are getting these protections including Apparmor. They are looking to collect Apparmor profiles so maybe we can give them what we have to integrate it upstream?

https://trac.torproject.org/projects/tor/ticket/7008
Interesting that they consider this even if its not related directly to TBB, but shows how far they are willing to go to contain TBB software.

What we should do in meanwhile is document this security improvement in advanced security guide (https://www.whonix.org/wiki/Advanced_Security_Guide).

https://trac.torproject.org/projects/tor/ticket/5756
"What we should do in meanwhile is document this security improvement in advanced security guide (https://www.whonix.org/wiki/Advanced_Security_Guide)."

Lets keep it on the backburner but not forget about it.
What is to remember here? I haven't found comments, that some setting has to be changed to enable seccomp. Once Whonix is based on wheezy+1, a newer kernel will be used and we will profit transparently and automatically profit from seccomp? Nothing to do here?

That’s a discussion for https://whonix.org/forum/index.php/topic,97.0.html directed to troubadour. Getting upstream (TPO) to pick something up seems difficult. When troubadour does something here, I give it some feedback and testing in timely manner. Upstream seems overworked. Not leaving feedback. By the time they eventually(!) leave feedback, you already forgot about what you did and might have lost interest and motivation because of the time lag.

What however could make sense is working with Micah Lee, who is interested in an AppArmor profile and more responsive. See:

It depends on troubadour to be motivated for this. I don’t take offense either way, of course.

Typo error: the snippet for the security guide for seccomp says:

After the policy is finalized, the kernel will match syscalls against the policy, limiting what an attacker can do in the event of a compromise.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]