From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753225AbbC0GkB (ORCPT <rfc822;w@1wt.eu>);
	Fri, 27 Mar 2015 02:40:01 -0400
Received: from mail-yh0-f50.google.com ([209.85.213.50]:36120 "EHLO
	mail-yh0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752172AbbC0Gj7 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 27 Mar 2015 02:39:59 -0400
MIME-Version: 1.0
In-Reply-To: <20150327055617.GA30266@qarx.de>
References: <20150327055617.GA30266@qarx.de>
Date: Fri, 27 Mar 2015 07:39:58 +0100
Message-ID: <CAFLxGvxU+q3MA7Ne=M+t=D1VQ2sbg0htMOmf6xzC0--r9yjjpQ@mail.gmail.com>
Subject: Re: security problem with seccomp-filter
From: Richard Weinberger <richard.weinberger@gmail.com>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>,
        Will Drewry <wad@chromium.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Cc'ing seccomp folks.

On Fri, Mar 27, 2015 at 6:56 AM, Felix von Leitner
<felix-linuxkernel@fefe.de> wrote:
> Hi,
>
> I have had some great success with seccomp-filter a while ago, so I
> decided to use it to add some defense in depth to a ping program I wrote.
>
> The premise is, like for all ping programs I assume, that it starts
> setuid root, gets a raw socket, drops privileges, parses the command
> line, potentially does a DNS lookup, and then it sends and receives
> packets, using gettimeofday and poll.
>
> So I added a seccomp filter that allows this. But where do you put it?
> Ideally you'd want the filter installed right away after dropping
> privileges, so the command line parsing and the DNS routines are
> secured, too. But then you'd allow unnecessary attack surface (why allow
> open after the DNS routines are done parsing /etc/resolv.conf, for
> example?).
>
> The documentation says you can add more than one seccomp filter, just
> call prctl multiple times and allow prctl initially.
>
> So that's what I did.
>
> But when I added the secondary filters (which would blacklist open and
> setsockopt), and for double checking tried installing the last one twice
> (after the last one was supposed to blacklist prctl), to my surprise
> my attempt did not lead to process termination but to a success return
> value.
>
> I think this is a serious security breach. Maybe I am the first one to
> attempt to install multiple seccomp filters in the same process?
> The observed behavior is consistent with only the first filter being
> consulted.
>
> I'm using stock kernel 3.19 for what it's worth.
>
> Thanks,
>
> Felix
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Thanks,
//richard