Re: security problem with seccomp-filter

From: Richard Weinberger
Date: Fri Mar 27 2015 - 02:40:05 EST

Next message: Viresh Kumar: "Re: [PATCH v2] cpufreq: powernv: Add checks to report cpu frequency throttling conditions"
Previous message: Raghavendra K T: "Re: [PATCH 0/9] qspinlock stuff -v15"
In reply to: Felix von Leitner: "security problem with seccomp-filter"
Next in thread: Kees Cook: "Re: security problem with seccomp-filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cc'ing seccomp folks.

On Fri, Mar 27, 2015 at 6:56 AM, Felix von Leitner
<felix-linuxkernel@xxxxxxx> wrote:
> Hi,
>
> I have had some great success with seccomp-filter a while ago, so I
> decided to use it to add some defense in depth to a ping program I wrote.
>
> The premise is, like for all ping programs I assume, that it starts
> setuid root, gets a raw socket, drops privileges, parses the command
> line, potentially does a DNS lookup, and then it sends and receives
> packets, using gettimeofday and poll.
>
> So I added a seccomp filter that allows this. But where do you put it?
> Ideally you'd want the filter installed right away after dropping
> privileges, so the command line parsing and the DNS routines are
> secured, too. But then you'd allow unnecessary attack surface (why allow
> open after the DNS routines are done parsing /etc/resolv.conf, for
> example?).
>
> The documentation says you can add more than one seccomp filter, just
> call prctl multiple times and allow prctl initially.
>
> So that's what I did.
>
> But when I added the secondary filters (which would blacklist open and
> setsockopt), and for double checking tried installing the last one twice
> (after the last one was supposed to blacklist prctl), to my surprise
> my attempt did not lead to process termination but to a success return
> value.
>
> I think this is a serious security breach. Maybe I am the first one to
> attempt to install multiple seccomp filters in the same process?
> The observed behavior is consistent with only the first filter being
> consulted.
>
> I'm using stock kernel 3.19 for what it's worth.
>
> Thanks,
>
> Felix
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

--
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Viresh Kumar: "Re: [PATCH v2] cpufreq: powernv: Add checks to report cpu frequency throttling conditions"
Previous message: Raghavendra K T: "Re: [PATCH 0/9] qspinlock stuff -v15"
In reply to: Felix von Leitner: "security problem with seccomp-filter"
Next in thread: Kees Cook: "Re: security problem with seccomp-filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]