Re: security problem with seccomp-filter
From: Richard Weinberger
Date: Fri Mar 27 2015 - 02:40:05 EST
Cc'ing seccomp folks.
On Fri, Mar 27, 2015 at 6:56 AM, Felix von Leitner
<felix-linuxkernel@xxxxxxx> wrote:
> Hi,
>
> I have had some great success with seccomp-filter a while ago, so I
> decided to use it to add some defense in depth to a ping program I wrote.
>
> The premise is, like for all ping programs I assume, that it starts
> setuid root, gets a raw socket, drops privileges, parses the command
> line, potentially does a DNS lookup, and then it sends and receives
> packets, using gettimeofday and poll.
>
> So I added a seccomp filter that allows this. But where do you put it?
> Ideally you'd want the filter installed right away after dropping
> privileges, so the command line parsing and the DNS routines are
> secured, too. But then you'd allow unnecessary attack surface (why allow
> open after the DNS routines are done parsing /etc/resolv.conf, for
> example?).
>
> The documentation says you can add more than one seccomp filter, just
> call prctl multiple times and allow prctl initially.
>
> So that's what I did.
>
> But when I added the secondary filters (which would blacklist open and
> setsockopt), and for double checking tried installing the last one twice
> (after the last one was supposed to blacklist prctl), to my surprise
> my attempt did not lead to process termination but to a success return
> value.
>
> I think this is a serious security breach. Maybe I am the first one to
> attempt to install multiple seccomp filters in the same process?
> The observed behavior is consistent with only the first filter being
> consulted.
>
> I'm using stock kernel 3.19 for what it's worth.
>
> Thanks,
>
> Felix
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/