cloud-hypervisor/docs/seccomp.md
Sebastien Boeuf 6190e64f2f docs: Add seccomp documentation
Document that seccomp is on and how to disable it along with a pointer
on how to identify missing syscalls during development.

Fixes #993

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
2021-03-23 18:41:30 +01:00

69 lines
2.3 KiB
Markdown

# Seccomp filtering
As a means to harden Cloud Hypervisor's security, the project leverages seccomp
filtering.
## What is seccomp filtering
A seccomp filter is a way for a process to tell the kernel which system calls
are authorized.
In case this process calls into a prohibited system call, the kernel will kill
the process right away.
## How does it apply to Cloud Hypervisor
Cloud Hypervisor is a multi threaded application. It spawns dedicated threads
for virtual CPUs, virtio devices and HTTP server, along with the main thread
representing the VMM.
Each of these threads has a limited scope of what it is expected to perform,
which is why different filters are applied to each of them.
By default, Cloud Hypervisor enables seccomp filtering as the project believes
that security should not be an option.
For development and debugging purposes, one might want to disable this feature
or log the faulty system call.
### Disabling seccomp filters
Append `--seccomp false` to Cloud Hypervisor's command line to prevent seccomp
filtering from being applied.
### Logging prohibited system calls
In the context of debug, one alternative to disabling seccomp filtering is to
log faulty system calls that would have caused the application to be killed by
the kernel.
Append `--seccomp log` to Cloud Hypervisor's command line to enable faulty
system calls to be logged.
The kernel running on the host machine must have the `audit` parameter enabled.
If this is not the case, update kernel boot options by appending `audit=1`.
Unauthorized system calls will be logged to the journal similarly to the
following example
```
type=SECCOMP msg=audit(1423263412.694:7878): auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:cloud_hypervisor:s0-s0:c0.c1023 pid=1193 comm="cloud-hypervisor" exe="/usr/bin/cloud-hypervisor" sig=0 arch=c000003e syscall=47 compat=0 ip=0x7f4f63982604 code=0x50000
```
Provided `ausyscall` has been installed on the host, the system call can be
identified with
```
$ ausyscall 47
recvmsg
```
### Further debug with `strace`
One more way of debugging seccomp related issues is to use the `strace` tool as
it will log every system call issued by the process. It is important to use
`-f` option in order to trace each and every thread belonging to the process.
```
strace -f ./cloud-hypervisor ...
```