All of lore.kernel.org
 help / color / mirror / Atom feed
From: Felix von Leitner <felix-linuxkernel@fefe.de>
To: linux-kernel@vger.kernel.org
Subject: security problem with seccomp-filter
Date: Fri, 27 Mar 2015 06:56:17 +0100	[thread overview]
Message-ID: <20150327055617.GA30266@qarx.de> (raw)

Hi,

I have had some great success with seccomp-filter a while ago, so I
decided to use it to add some defense in depth to a ping program I wrote.

The premise is, like for all ping programs I assume, that it starts
setuid root, gets a raw socket, drops privileges, parses the command
line, potentially does a DNS lookup, and then it sends and receives
packets, using gettimeofday and poll.

So I added a seccomp filter that allows this. But where do you put it?
Ideally you'd want the filter installed right away after dropping
privileges, so the command line parsing and the DNS routines are
secured, too. But then you'd allow unnecessary attack surface (why allow
open after the DNS routines are done parsing /etc/resolv.conf, for
example?).

The documentation says you can add more than one seccomp filter, just
call prctl multiple times and allow prctl initially.

So that's what I did.

But when I added the secondary filters (which would blacklist open and
setsockopt), and for double checking tried installing the last one twice
(after the last one was supposed to blacklist prctl), to my surprise
my attempt did not lead to process termination but to a success return
value.

I think this is a serious security breach. Maybe I am the first one to
attempt to install multiple seccomp filters in the same process?
The observed behavior is consistent with only the first filter being
consulted.

I'm using stock kernel 3.19 for what it's worth.

Thanks,

Felix

             reply	other threads:[~2015-03-27  6:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-27  5:56 Felix von Leitner [this message]
2015-03-27  6:39 ` security problem with seccomp-filter Richard Weinberger
2015-03-28 13:03   ` Kees Cook
2015-04-12 21:33     ` Felix von Leitner
2015-04-13 17:30       ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150327055617.GA30266@qarx.de \
    --to=felix-linuxkernel@fefe.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.