0

how can I use seccomp and prctl syscall vs bcc to interception syscalls? Is there another way to achieve this goal with bcc ??

I know that it is possible with pure ebpf code in C but it is too difficult to understand and use and I want to use bcc for it.

Mostafa Sarmad
  • 11
  • 6

1 Answers1

0

BCC is about observability (mostly), it will help you trace and inspect the system calls but won't allow you to block them like seccomp does. If this is what you're after, eBPF can do that on recent kernels, but you want to search for the eBPF-based LSM (see kernel's documentation on the topic).

A few additional pointers:

Qeole
  • 684
  • 8
  • 12
  • thanks Qeole! useful! – Mostafa Sarmad May 10 '21 at 11:45
  • Does using eBPF-based lsm basically require kernel rebuild??? – Mostafa Sarmad May 10 '21 at 11:50
  • and another question: does this line: `If this is what you're after, eBPF can do that on recent kernels` represent something different from this one: `but you want to search for the eBPF-based LSM` ? I mean can I achieve my goal with pure eBPF and without lsm?? – Mostafa Sarmad May 10 '21 at 11:54
  • eBPF programs never need a kernel rebuild (the only thing that might need it is if your kernel didn't have the relevant options turned on when it was compiled, but this is seldom an issue on the recent versions of mainstream distributions). I'm not sure what you mean by _pure eBPF_. eBPF programs need to be attached to a hook in the kernel, the LSM _is_ such a hook. The only one, at the moment, to consider for everything related to filtering syscalls with eBPF. But it doesn't mean any additional frameworks or software, it's all self-contained in the kernel, look at the docs. – Qeole May 10 '21 at 13:14
  • But I think `(kernel)/samples/seccomp/dropper.c` is not hooked with lsm. and it intercepts syscalls. it is true? Or I didn't consider something? – Mostafa Sarmad May 10 '21 at 13:20
  • It's seccomp, as the directory name says. It uses the older cBPF, not eBPF. Seccomp is also a valid approach for most use cases, so you may want to look that side, too. – Qeole May 10 '21 at 14:03
  • understand. thanks! – Mostafa Sarmad May 10 '21 at 14:47
  • Hi Qeole! I back after a day of R&D! I read a lot of document's about bpf and ebpf and another, but I finally didn't recognize how can I use bpf(ebpf) programs to intercept and filter syscalls with ability to access their argument and changing them. your linked also was good and useful but I didn't find anything useful about this and about using lsm. can you give me more information or references to this, unfortunately, this is still very dusty for me. – Mostafa Sarmad May 12 '21 at 11:03
  • I don't think either solution will allow you to change the arguments of the syscall. `bpf_probe_write_user()` might allow that from eBPF but shouldn't be used for security purposes. Seccomp allows you to filter the arguments directly - just see the example in the doc, or the kernel samples. The eBPF LSM, being a LSM, won't process the arguments directly, instead it hooks at one of the existing LSM hooks (which one to use depends on your use case). See also the examples in doc and kernel samples/. – Qeole May 12 '21 at 11:41
  • Note: At some point it might be worth opening a question directly describing your use case and constraints, if you want folks to be able to point you to the best solutions. Maybe BPF isn't. “Syscall interception” is vague, if it is just about observability then kprobes/BCC work fine. But then it's not clear what you want to do once you “intercept”. You had not mentioned “changing” the arguments so far, for example. – Qeole May 12 '21 at 11:46
  • https://unix.stackexchange.com/questions/649368/interception-syscalls-and-make-change-in-their-arguments – Mostafa Sarmad May 12 '21 at 12:22
  • ok. so Do we have access to syscall arguments in seccomp?? can see arguments and filter some of them according to a policy?? – Mostafa Sarmad May 12 '21 at 12:31
  • Yes, this is how seccomp works. But I don't believe (although not 100% sure) that you can change the arguments with seccomp only. – Qeole May 12 '21 at 13:56