Possibly Missing Syscalls from Seccomp Filter

shankarapailoor . shankarapailoor at gmail.com
Mon Jul 1 11:18:18 AEST 2019 

Just to be clear the paths include sshpkt_vfatal which could be called in
the child process. Is the reason they are not callable because the
effective user id of the sandboxed process non root?


I've updated the paths below:

1.
do_authentication2->dispatch_run_fatal->sshpkt_fatal->sshpkt_vfatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->getgroups

2.
do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->initgroups->setgroups

3.
do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->sshpkt_vfatal->logdie->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->unlink

4.
do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->sshpkt_vfatal->logide->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->rmdir

On Sun, Jun 30, 2019 at 4:32 PM Damien Miller <djm at mindrot.org> wrote:

>
> On Sun, 30 Jun 2019, shankarapailoor . wrote:
>
> > Hi!
> >
> > I'm investigating the seccomp filter in openssh and I wanted to know
> > whether the following system calls should be added to the filter:
>
> I don't think so - AFAIK all of those only happen in the unsandboxed
> monitor process.
>
>
> > 1. getgroups
> >     -
> >
> do_authentication2->dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->getgroups
> > 2. setgroups
> >     -
> >
> do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->temporarily_use_uid->initgroups->setgroups
> > 3. unlink
> >     -
> >
> do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logdie->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->unlink
> > 4. rmdir
> >     -
> >
> do_authentication2->ssh_dispatch_run_fatal->sshpkt_fatal->logide->cleanup_exit->do_cleanup->auth_sock_cleanup_proc->rmdir
> >
> > Below each system call is a call path that seems feasible. My apologies
> for
> > any inconvenience.
> >
> > Regards,
> > Shankara Pailoor
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>


-- 
Regards,
Shankara Pailoor

More information about the openssh-unix-dev mailing list