Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Native Sandboxing with seccomp and AppArmor

Cloud Native Sandboxing with seccomp and AppArmor

Adoptium Summit 2025

Avatar for Kenji Kazumura

Kenji Kazumura

October 01, 2025
Tweet

More Decks by Kenji Kazumura

Other Decks in Programming

Transcript

  1. 2025/10/01 Kenji Kazumura © 2025 Fujitsu Limited Adoptium Summit 2025

    @kkzr Cloud Native Sandboxing with seccomp and AppArmror
  2. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Who Am

    I Member of Jakarta EE Specification Committee Member of JCP Executive Committee Board of Director of Eclipse Foundation Member of Adoptium Steering Committee 3
  3. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Software Supply

    Chain Security Coding Build Package Deploy Use bad package Upload modified package Compromise registry 5
  4. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Adoptium Efforts

    Coding Build Package Deploy Trusted JDK OpenJDK ・Reproducible build ・SBOM ・Digital Signing ・・・・ Temurin project has achieved SLSA Level 3 6
  5. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Is It

    Sufficient ? OS Java Application JDK Trusted You can focus on your application. 7
  6. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Supply Chain

    in Real World Dependency Dependency UnTrusted JDK Trusted UnTrusted Dependency Dependency Java Application Dependency Dependency JNI/FFM Danger UnTrusted UnTrusted UnTrusted UnTrusted OS 8
  7. © 2025 Fujitsu Limited © 2025 Fujitsu Limited How To

    Manage Dependencies Plan A Fork all dependent third-party libraries. Understand the behavior of all those libraries. Give up fully understanding the behavior of third-party libraries. Instead, limit the behavior of libraries to those that are safe. Practically Impossible Plan B Sandbox 9
  8. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Java and

    Sandbox Java inherently possesses sandbox functionality as Countermeasures against untrusted code (Applet). Restricting what code can do. Over the years On the server side, trusted code is typically running. The danger on the server side lies not in untrusted code, but in malicious data sent to exploit vulnerabilities with trusted code. 10
  9. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Use of

    Security Manager in OSS https://www.cs.cmu.edu/~clegoues/docs/coker15acsac.pdf Using at not only Applet but also Server Side 11
  10. © 2025 Fujitsu Limited © 2025 Fujitsu Limited OSS is

    NOT Trustworthy https://x.com/Cryolite/status/1774300154566455736 https://xkcd.com/2347/ xz-utils case OSS is open and transparent. It does not mean OSS is trustworthy. 12
  11. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Sandbox Classification

    Shallow Sandbox Deep Sandbox Simple Deep Sandbox Path-Dependent Deep Sandbox Thread-Dependent Deep Sandbox Sandbox 14
  12. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Shallow /

    Deep Sandbox main call stack Shallow Sandbox prohibits to call ‘foo’ foo read Deep Sandbox prohibits to call ‘read’ code running in sandbox STOP STOP 15
  13. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Path-Dependent Deep

    Sandbox foo read disallow to call read via bar bar code running on sandbox allow to call read via foo main 16
  14. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Path-Dependent Deep

    Sandbox Problems Performance overhead Difficulty of tracking security context Thread Pool Virtual Thread Complexity of configuration 17
  15. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Java Policy

    File example https://docs.oracle.com/javase/jp/21/security/permissions-jdk1.html grant signedBy "sysadmin", codeBase "file:/home/sysadmin/*" { permission java.security.SecurityPermission "Security.insertProvider.*"; permission java.security.SecurityPermission "Security.removeProvider.*"; permission java.security.SecurityPermission "Security.setProperty.*"; }; grant principal javax.security.auth.x500.X500Principal "cn=Alice" { permission java.io.FilePermission "/home/Alice", "read, write"; }; The more feature , the more complex the configuration who to permit what to permit on what to permit 18
  16. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Path-Dependent Deep

    Sandbox configuration Can configure who, what, on what to permit But, configuration is too complex Complexity is a source of vulnerability At first glance, improving security Lower security 19
  17. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Sandbox Configuration

    in General Not Always all three parameters can be specified Who which code? trusted.jar What which operation? /etc/passwd on What which resource? can read Example: 20
  18. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Container(Linux) Guards

    namespace Process capability cgroup AppArmor seccomp Kernel today’s target 21
  19. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Sandboxes used

    in Cloud Native Secure Computing Mode seccomp provided by Linux Kernel control system calls AppArmor provided by Linux Kernel control resources Docker/Kubernetes provide sandboxes using seccomp and/or AppArmor 22
  20. © 2025 Fujitsu Limited seccomp filtering User Space Kernel Space

    read() response Error Process File write() read() seccomp allow disallow © 2025 Fujitsu Limited 23
  21. © 2025 Fujitsu Limited seccomp System calls can be filtered

    by its parameter values, but only values with pass-by-value are effective. String, such as a file name, can’t be used for filtering. ‘open(“foo.txt”, O_RDWR)’ actually passes a pointer ➔ ’open(0x1234, 2)’ Run in Kernel Specify system calls to allow or disallow Available with Docker/Kubernetes Note 24
  22. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Typical actions

    available in seccomp SCMP_ACT_KILL_PROCESS: Terminate process with SIGSYS SCMP_ACT_ERRNO: system call returns error SCMP_ACT_LOG: callings are logged (can be used when creating a whitelist) SCMP_ACT_ALLOW: no effect ・・・ https://man7.org/linux/man-pages/man3/seccomp_init.3.html 25
  23. © 2025 Fujitsu Limited © 2025 Fujitsu Limited seccomp usage

    with docker { "defaultAction": "SCMP_ACT_ALLOW", " archMap" : [ { "architectures": "SCMP_ARCH_X86_64" } ], "syscalls": [ { "names" : [ "write" ], "action" : "SCMP_ACT_ERRNO" } ] } $ docker run --security-opt seccomp=write-error.json image configuration file example (write-error.json) docker command example 26
  24. © 2025 Fujitsu Limited © 2025 Fujitsu Limited AppArmor Run

    in Kernel Specify resources to allow or disallow mount devices files / directories signals sockets List of resources must be registered as a profile before using AppArmor Available with Docker/Kubernetes 27
  25. © 2025 Fujitsu Limited AppArmor Mechanism User Space Kernel Space

    ERROR Process File AppArmor © 2025 Fujitsu Limited profile A profile B read(“foo”) read(“bar”) apparmor _parser result profile registration foo bar 28
  26. © 2025 Fujitsu Limited © 2025 Fujitsu Limited AppArmor running

    mode enforce mode Apply the specified profile complain mode No constraint. Only logging. Whitelist can be created from logs. 29
  27. © 2025 Fujitsu Limited © 2025 Fujitsu Limited AppArmor usage

    with docker #include <tunables/global> profile my-profile { #include <abstractions/base> # disallow to write to /tmp/specific-dir deny /tmp/specific-dir/ rw, } $ docker run --security-opt apparmor=my-profile image configuration file examples (my-profile) docker command example 30
  28. © 2025 Fujitsu Limited © 2025 Fujitsu Limited seccomp notify

    But, you need to create your own filter program. seccomp notifies happens of system calls to the filter program running on User Space The filter program decided to allow or disallow the call. Parameter values Passed-By-Reference can also be checked. 31
  29. © 2025 Fujitsu Limited seccomp notify flow (digest) User Space

    Kernel Space Process © 2025 Fujitsu Limited Filter Program seccomp call system call notify to Filter Program return filter result : OK or NG if OK, really invoke system call return result of system call system call execution 5 1 4 2 3 1 2 3 4 5 32
  30. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Mechanism to

    notify parameters UNIX Socket Notfication FD Memory open(0x1234, O_RDWR) Process seccomp 0x1234: “/tmp/abc” 1 4 read memory (0x1234) “/tmp/abc” 5 6 result of judgement 3 2 information of Notification FD Filter Program PID,SC type(open), parameter(0x1234), and so on 33
  31. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Filter Program

    written by Java Because seccomp is low-level I/F, Filter Program need to be written by C Language. Java recently enables system programing by using FFM #include <sys/socket.h> ... struct msghdr msg = {0}; msg.msg_iov = &io; if (recvmsg(socfd, &msg, 0) < 0) printf("Failed to receive message¥n"); private static final MemoryLayout MSGHDR_LAYOUT = MemoryLayout.structLayout( ValueLayout.ADDRESS.withName("msg_name"), ValueLayout.JAVA_INT.withName("msg_namelen"), MemoryLayout.paddingLayout(4), ValueLayout.ADDRESS.withName("msg_iov"), ... MemorySegment msg = Arena.global().allocate(MSGHDR_LAYOUT); msg.fill((byte)0); msg.set(ADDRESS, MSGHDR_LAYOUT.byteOffset(PathElement.groupElement("msg_iov")), io); if ( recvmsgHandle.invokeExact(sockfd, msg, 0) < 0) { throw new Exception("Failed to receive message"); C program pure Java program https://gist.github.com/kazumura/aae857e754cfbc30283aa688d52f1ac7 34
  32. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Sandbox Comparison

    filtering container synergy configuration complexity difficulty Java oriented who what on what Java SM seccomp AppAromor seccomp notify - - - - - - - - can can’t - up to you yes no - 36
  33. © 2025 Fujitsu Limited © 2025 Fujitsu Limited Wrap Up

    Securing Software Supply Chain is critical theme in modern software development. Securing only JDK is insufficient Adoptium technologies contribute to securing not only Temurin but also vendors’ JDK Sandbox can be seen as a way to secure complex Java ecosystem Give It A Try ! 37