Sandboxing: How important is seccomp?
Hal Murray
hmurray at megapathdsl.net
Tue Jul 12 00:37:07 UTC 2016
[For those not familiar with it, seccomp gives the kernel a list of syscalls
that the program is allowed to use. All others becomes illegal. So if a bad
guy finds a stack overflow there is (hopefully) a good chance that any code
he tries to run will crash.]
I've got it working on Intel. It doesn't work on ARM. More below.
This is likely to have a long tail of cases that I can't test. There is an
interesting tangle of which syscalls are used by various combinations of 32
vs 64 bit and the age of libc and kernels. I've been adding things to the
list as I discover them. There are probably obscure combinations used by
distros that I can't test and/or refclocks that I can't test may use strange
calls.
There is also the chance that things will change out from under us. For
example, getrandom was added to the 3:17 kernel. So if you updated your
kernel and glibc our ntpd would crash until we updated it or you disabled it
at runtime.
Assuming the environment supports them...
Should we set things up so so that droproot and seccomp are required at build
time unless you explicitly disable them? That just requires installing the
required packages.
Should we set things up so that droproot is required at runtime?
I assume we add options to disable any runtime checks.
(Can we use -u root:root to say no-thanks?)
Both work on Linux. NetBSD supports droproot.
---------
On ARM, it dies before it gets to our code.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
Cannot access memory at address 0x0
Program received signal SIGILL, Illegal instruction.
0x76dabde8 in ?? () from /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
(gdb) bt
#0 0x76dabde8 in ?? () from /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
#1 0x76da84b4 in OPENSSL_cpuid_setup ()
from /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
#2 0x76fdeffc in call_init (l=<optimized out>, argc=5, argv=0x7efffd34,
env=0x7efffd4c) at dl-init.c:78
#3 0x76fdf0d8 in _dl_init (main_map=0x76fff958, argc=5, argv=0x7efffd34,
env=0x7efffd4c) at dl-init.c:126
#4 0x76fcfd84 in _dl_start_user () from /lib/ld-linux-armhf.so.3
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
--
These are my opinions. I hate spam.
More information about the devel
mailing list