Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use seccomp instead of setsid() to workaround CVE-2017-5226 #150

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .redhat-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ packages:
- redhat-rpm-config
- libcap-devel
- pkgconfig(libselinux)
- pkgconfig(libseccomp)
- libxslt
- docbook-style-xsl

Expand Down Expand Up @@ -48,6 +49,7 @@ packages:
- redhat-rpm-config
- libcap-devel
- pkgconfig(libselinux)
- pkgconfig(libseccomp)
- libxslt
- docbook-style-xsl
- clang
Expand Down
3 changes: 1 addition & 2 deletions Makefile-bwrap.am
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

bwrap_SOURCES = \
$(bwrap_srcpath)/bubblewrap.c \
$(bwrap_srcpath)/bind-mount.h \
Expand All @@ -10,4 +9,4 @@ bwrap_SOURCES = \
$(NULL)

bwrap_CFLAGS = $(AM_CFLAGS)
bwrap_LDADD = $(SELINUX_LIBS)
bwrap_LDADD = $(LIBSECCOMP_LIBS) $(SELINUX_LIBS)
3 changes: 3 additions & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
AM_CFLAGS = $(WARN_CFLAGS)
CLEANFILES =
MAINTAINERCLEANFILES =
EXTRA_DIST =
BUILT_SOURCES =
noinst_PROGRAMS =

GITIGNOREFILES = build-aux/ gtk-doc.make config.h.in aclocal.m4

Expand Down
47 changes: 47 additions & 0 deletions bubblewrap.c
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@
#include <linux/seccomp.h>
#include <linux/filter.h>

#ifndef DISABLE_SECCOMP
#include <seccomp.h>
#endif

#include "utils.h"
#include "network.h"
#include "bind-mount.h"
Expand Down Expand Up @@ -2027,6 +2031,43 @@ main (int argc,
close (opt_block_fd);
}

#ifndef DISABLE_SECCOMP
{
scmp_filter_ctx ctx = NULL;
uint32_t extra_arches[][2] = {
{SCMP_ARCH_X86_64, SCMP_ARCH_X86},
#ifdef SCMP_ARCH_AARCH64
{SCMP_ARCH_AARCH64, SCMP_ARCH_ARM},
#endif
{0}
};
int i;

ctx = seccomp_init (SCMP_ACT_ALLOW);
if (!ctx)
die ("Initialize seccomp failed\n");

for (i = 0; extra_arches[i][0] != 0; i++)
{
if (seccomp_arch_native () == extra_arches[i][0])
{
int res = seccomp_arch_add (ctx, extra_arches[i][1]);
if (res < 0)
die ("Error adding extra arch\n");
}
}

if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ioctl), 1,
SCMP_A1(SCMP_CMP_EQ, (int)TIOCSTI)) < 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would need SCMP_CMP_MASKED_EQ rather than SCMP_CMP_EQ to not re-introduce CVE-2019-10063. Sending TIOCSTI + 0x100000000 (eight zeros) can be used for a test.

die ("Failed to add TIOCSTI rule\n");

if (seccomp_load (ctx) != 0)
die ("Unable to load seccomp rules");

seccomp_release (ctx);
}
#endif

if (opt_seccomp_fd != -1)
{
cleanup_free char *seccomp_data = NULL;
Expand Down Expand Up @@ -2121,8 +2162,14 @@ main (int argc,
/* We want sigchild in the child */
unblock_sigchild ();

#ifdef DISABLE_SECCOMP
/* If we don'y have seccomp, then we need to setsid to protect against CVE-2017-5226
* See e.g. https://github.com/projectatomic/bubblewrap/pull/143
* This workaround is pretty bad though, as it breaks shell job control.
*/
if (setsid () == (pid_t) -1)
die_with_error ("setsid");
#endif

if (label_exec (opt_exec_label) == -1)
die_with_error ("label_exec %s", argv[0]);
Expand Down
14 changes: 14 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,19 @@ else
BASH_COMPLETION_DIR="$with_bash_completion_dir"
fi

AC_ARG_ENABLE([seccomp-tty-fix],
AC_HELP_STRING([--disable-seccomp-tty-fix],
[Disable libseccomp-based TIOCSTI ioctl workaround (not recommended)]),
[enable_seccomp_tty_fix=no],
[enable_seccomp_tty_fix=yes])

if test "x$enable_seccomp_tty_fix" = "xno"; then
AC_DEFINE([DISABLE_SECCOMP], [1],
[Define if not using seccomp])
else
PKG_CHECK_MODULES(LIBSECCOMP, [libseccomp])
fi

AC_SUBST([BASH_COMPLETION_DIR])
AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
# ------------------------------------------------------------------------------
Expand Down Expand Up @@ -111,6 +124,7 @@ echo "

man pages (xsltproc): $enable_man
SELinux: $have_selinux
Seccomp tty fix: $enable_seccomp_tty_fix
setuid mode on make install: $with_priv_mode
mysteriously satisfying to pop: yes"
echo ""