https://bugs.kde.org/show_bug.cgi?id=384651
Fabian Vogt <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |CONFIRMED CC| |[email protected] Ever confirmed|0 |1 --- Comment #1 from Fabian Vogt <[email protected]> --- stracing the test shows a succeeding call to openat, which is not supposed to happen. This is fixed (and the make test run confirms that) with this change: diff --git a/greeter/seccomp_filter.cpp b/greeter/seccomp_filter.cpp index 9d61d4a..a266331 100644 --- a/greeter/seccomp_filter.cpp +++ b/greeter/seccomp_filter.cpp @@ -78,6 +78,7 @@ void init() seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)); } + seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(openat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT)); seccomp_rule_add(context, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(open), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT)); // disallow going to a socket Why this is now necessary with glibc 2.26 is not obvious, my guess is that glibc rewrote openat(AT_FDCWD, "/...", ...) calls to open("/...", ...) or does it the other way around now with 2.26. This makes me wonder whether the seccomp sandbox actually works as intended. AFAICT blocking openat is always necessary (?) This could be confirmed by inserting a direct call to openat in the seccomp test and running it on glibc < 2.26. -- You are receiving this mail because: You are watching all bug changes.
