Module foundations::security

Available on crate feature security and Linux and (x86-64 or AArch64) only.

Security-related features.

Syscall sandboxing

seccomp is a Linux kernel’s syscall sandboxing feature. It allows to set up hooks for the syscalls that application is using and perform certain actions on it, such as blocking or logging. As an effect, providing an additional fence from attacks like arbitrary code execution.

seccomp filtering is applied to a thread in which enable_syscall_sandboxing was called and all the threads spawned by this thread. Therefore, enabling seccomp early in the main function enables it for the whole proccess.

All the syscalls are considered to be a security violation by default, with ViolationAction being performed when syscall is encountered. Application need to provide a list of exception Rules to enable_syscall_sandboxing function for syscalls that it considers safe to use.

The crate provides a few common_syscall_allow_lists to simplify configuration.

Foundations compiles and statically links with libseccomp, so it doesn’t require the lib to be installed.

Simple case Spectre mitigation for x86_64 processors

One of the simplest Spectre attack vectors it to use x86_64’s time stamp counter. foundations provides forbid_x86_64_cpu_cycle_counter method that dissallows the usage of the counter in the process, so any attempts to use the counter by malicious code will cause process termination.

Modules

• common_syscall_allow_lists
  Predefined allow lists of syscalls for commonly used operations.

Macros

• allow_list
  A convenience macro for construction of documented lists with Rule::Allows.

Structs

• ArgCmpValue
  A value to compare syscall arguments with in comparators.

Enums

• ArgCmp
  Syscall argument comparators to be used in Rule.
• Rule
  A syscall exception rule to be provided to enable_syscall_sandboxing.
• Syscallx86-64
  Linux syscalls.
• ViolationAction
  An action to be taken on seccomp sandbox violation.

Functions

• enable_syscall_sandboxing
  Enables seccomp-based syscall sandboxing in the current thread and all the threads spawned by it.
• forbid_x86_64_cpu_cycle_counterx86-64
  Forbids usage of x86_64 CPU cycle counter for Spectre mitigation.

Type Aliases

• RawOsErrorNum
  A raw OS error code to be returned by Rule::ReturnError.