How to seccomp a subprocess?

Question

I'd like to use execvp to create a subprocess and seccomp it (only give it read and write permission, without open). In order to achieve that, I must call seccomp functions before execvp (which also calls open), and thus I should give myself execvp and open permission. But this also means I give the child process opened by execvp such permissions. Is there a way to prevent subprocess to call open (e.g. load it to memory before I call seccomp)?

#include <iostream>
#include <vector>
#include <seccomp.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

using namespace std;

int main()
{
    cerr << "Starting..." << endl;

    scmp_filter_ctx ctx;
    ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill

    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettid), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tgkill), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);

    // Don't want to give these 3 to child process but execvp requires them
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0);

    seccomp_load(ctx);

    char * noargv[] = {NULL};

    execvp("./app", noargv);
}

score 3 · Accepted Answer · answered May 30 '17 at 05:24

You can only allow the specific path and flag

char *path = "./app";

// add extra rule for execve
if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_NE, (scmp_datum_t)(path))) != 0) {
    return LOAD_SECCOMP_FAILED;
}
// do not allow "w" and "rw"
if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) {
    return LOAD_SECCOMP_FAILED;
}
if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) {
    return LOAD_SECCOMP_FAILED;
}

This is hopelessly insecure, you have blacklisted O_RDWR but not O_CLOEXEC | OR_RDWR. It also checks the value of the pointer, not the string. — Timothy Baldwin, Sep 10 '19 at 19:56

score 2 · Answer 2 · answered Sep 11 '19 at 20:28

2

You could require a secret random number be passed in the unused syscall arguments.

answered Sep 11 '19 at 20:28

Timothy Baldwin

3,551
1
14
23

Is this a common solution for this problem? – Marco Mar 02 '21 at 06:25

How to seccomp a subprocess?

2 Answers2