lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 27 Mar 2015 07:39:58 +0100
From:	Richard Weinberger <richard.weinberger@...il.com>
To:	LKML <linux-kernel@...r.kernel.org>
Cc:	Kees Cook <keescook@...omium.org>,
	Andy Lutomirski <luto@...capital.net>,
	Will Drewry <wad@...omium.org>
Subject: Re: security problem with seccomp-filter

Cc'ing seccomp folks.

On Fri, Mar 27, 2015 at 6:56 AM, Felix von Leitner
<felix-linuxkernel@...e.de> wrote:
> Hi,
>
> I have had some great success with seccomp-filter a while ago, so I
> decided to use it to add some defense in depth to a ping program I wrote.
>
> The premise is, like for all ping programs I assume, that it starts
> setuid root, gets a raw socket, drops privileges, parses the command
> line, potentially does a DNS lookup, and then it sends and receives
> packets, using gettimeofday and poll.
>
> So I added a seccomp filter that allows this. But where do you put it?
> Ideally you'd want the filter installed right away after dropping
> privileges, so the command line parsing and the DNS routines are
> secured, too. But then you'd allow unnecessary attack surface (why allow
> open after the DNS routines are done parsing /etc/resolv.conf, for
> example?).
>
> The documentation says you can add more than one seccomp filter, just
> call prctl multiple times and allow prctl initially.
>
> So that's what I did.
>
> But when I added the secondary filters (which would blacklist open and
> setsockopt), and for double checking tried installing the last one twice
> (after the last one was supposed to blacklist prctl), to my surprise
> my attempt did not lead to process termination but to a success return
> value.
>
> I think this is a serious security breach. Maybe I am the first one to
> attempt to install multiple seccomp filters in the same process?
> The observed behavior is consistent with only the first filter being
> consulted.
>
> I'm using stock kernel 3.19 for what it's worth.
>
> Thanks,
>
> Felix
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ