We’ve just released a new version of libseccomp, libseccomp version 2.3.0. The libseccomp library provides an easy to use, platform independent interface to the Linux enhanced syscall filtering mechanism.
This new version of libseccomp builds upon the previous release and should be a drop-in replacement for the 2.x releases. All users are encouraged to upgrade to the new version at their earliest convenience.
Changes in the 2.3.0 release include:
Added support for the s390 and s390x architectures
Added support for the ppc, ppc64, and ppc64le architectures
Update the internal syscall tables to match the Linux 4.5-rc releases
Filter generation for both multiplexed and direct socket syscalls on x86
Support for the musl libc implementation
Additions to the API to enable runtime version checking of the library
Enable the use of seccomp() instead of prctl() on supported systems
Added additional tests to the regression test suite
Finally, thank you to everyone who has submitted suggestions, provided testing help, and contributed patches to the project.
As part of Linux 4.3 we added the ability to selectively filter based on an executable pathname and not just the executable’s current PID. This post is a quick introduction to the new functionality using ‘/usr/bin/echo’ as a simple example.
In order to use the new audit by executable functionality you need to make sure you are running Linux 4.3 or greater, and the audit userspace tools version 2.5 or greater. For this example I’m using a Fedora Rawhide system with a Linux 4.5 development kernel and the audit v2.5 userspace.
First, I’m going to clear any existing audit rules from the system and create a new rule to generate an audit event whenever the ‘/usr/bin/echo’ application calls the write() system call; I’m also going to have the kernel mark these records with the ‘testing’ key for easier parsing by ‘ausearch’ later. It is important to note that this is just a simple example to demonstrate the functionality, the new ‘-F exe=…’ audit filter can used as part of larger, more complex rules.
With the new rule loaded into the kernel we simply need to execute ‘/usr/bin/echo’. It is important to specify the full path for the echo command as some shells, including bash, default to a built-in if an absolute executable path for echo is not given.
# /usr/bin/echo "hello world!"
We can now check the audit log to see if any events have occurred that match the ‘testing’ key we used when we created our new audit by executable rule.
In this case we see two audit events have been recorded in the audit log. The first event consists of a single CONFIG_CHANGE record and was generated when we loaded the new rule into the kernel. The second event was generated by our newly created audit by executable rule and show ‘/usr/bin/echo’ using the write() syscall. For such a simple application as ‘/bin/true’ this is exactly what we would expect, and an indication that everything is working correctly.
DevConf.cz finished a few hours ago, and there were some really good SELinux talks. Miroslav Grepl summarized the SELinux work over the past year, and gave a preview of what we can expect over the next year. Milos Malik presented his work on a SELinux troubleshooting flowchart; if you’re having problems with SELinux denials and don’t know where to start I suggest giving it a try.
