[RFC 3/3] seccomp: add a way to get a listener fd from ptrace
Tycho Andersen
tycho at tycho.ws
Wed Feb 14 15:33:59 UTC 2018
On Tue, Feb 13, 2018 at 01:32:26PM -0800, Kees Cook wrote:
> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen <tycho at tycho.ws> wrote:
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least two reasons
> > this is preferable, even though it uses ptrace:
> >
> > 1. You can control tasks that aren't cooperating with you
> > 2. You can control tasks whose filters block sendmsg() and socket(); if the
> > task installs a filter which blocks these calls, there's no way with
> > SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task.
>
> I got worried for a second that this would get us into a many-to-many
> state, but I see init_listener enforces a single listener per filter.
> Whew. Seems legit. :)
Yes, although if you sendmsg() the listener fd, you could still get
into that state, so it's still maybe a concern?
Tycho
More information about the Containers
mailing list