security problem with seccomp-filter

[Felix von Leitner]

Hi,

I have had some great success with seccomp-filter a while ago, so I
decided to use it to add some defense in depth to a ping program I wrote.

The premise is, like for all ping programs I assume, that it starts
setuid root, gets a raw socket, drops privileges, parses the command
line, potentially does a DNS lookup, and then it sends and receives
packets, using gettimeofday and poll.

So I added a seccomp filter that allows this. But where do you put it?
Ideally you'd want the filter installed right away after dropping
privileges, so the command line parsing and the DNS routines are
secured, too. But then you'd allow unnecessary attack surface (why allow
open after the DNS routines are done parsing /etc/resolv.conf, for
example?).

The documentation says you can add more than one seccomp filter, just
call prctl multiple times and allow prctl initially.

So that's what I did.

But when I added the secondary filters (which would blacklist open and
setsockopt), and for double checking tried installing the last one twice
(after the last one was supposed to blacklist prctl), to my surprise
my attempt did not lead to process termination but to a success return
value.

I think this is a serious security breach. Maybe I am the first one to
attempt to install multiple seccomp filters in the same process?
The observed behavior is consistent with only the first filter being
consulted.

I'm using stock kernel 3.19 for what it's worth.

Thanks,

Felix
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/