From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752917AbbC0GDE (ORCPT ); Fri, 27 Mar 2015 02:03:04 -0400 Received: from qarx.de ([31.15.64.162]:48300 "EHLO a.mx.fefe.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751105AbbC0GDB (ORCPT ); Fri, 27 Mar 2015 02:03:01 -0400 X-Greylist: delayed 398 seconds by postgrey-1.27 at vger.kernel.org; Fri, 27 Mar 2015 02:03:00 EDT Date: Fri, 27 Mar 2015 06:56:17 +0100 From: Felix von Leitner To: linux-kernel@vger.kernel.org Subject: security problem with seccomp-filter Message-ID: <20150327055617.GA30266@qarx.de> Mail-Followup-To: linux-kernel@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I have had some great success with seccomp-filter a while ago, so I decided to use it to add some defense in depth to a ping program I wrote. The premise is, like for all ping programs I assume, that it starts setuid root, gets a raw socket, drops privileges, parses the command line, potentially does a DNS lookup, and then it sends and receives packets, using gettimeofday and poll. So I added a seccomp filter that allows this. But where do you put it? Ideally you'd want the filter installed right away after dropping privileges, so the command line parsing and the DNS routines are secured, too. But then you'd allow unnecessary attack surface (why allow open after the DNS routines are done parsing /etc/resolv.conf, for example?). The documentation says you can add more than one seccomp filter, just call prctl multiple times and allow prctl initially. So that's what I did. But when I added the secondary filters (which would blacklist open and setsockopt), and for double checking tried installing the last one twice (after the last one was supposed to blacklist prctl), to my surprise my attempt did not lead to process termination but to a success return value. I think this is a serious security breach. Maybe I am the first one to attempt to install multiple seccomp filters in the same process? The observed behavior is consistent with only the first filter being consulted. I'm using stock kernel 3.19 for what it's worth. Thanks, Felix