-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
many: introduce seccomp denylist to block ioctl with TIOCLINUX to fix CVE-2023-1523 #12849
Commits on May 25, 2023
-
snap-seccomp: support explicitly blocking of syscalls
snap-seccomp has always implemented an allow-list approach to syscalls - such that the listed syscalls are allowed and any non-listed will get blocked. However, in the case where we want to disallow a syscall with particular arguments, it is only possible to block one instance of the sycall with a given argument. If a second similar rule is added, each rule effectively allows the other and so neither get disallowed as a result. So introduce the concept of explicitly denying system calls listed in the seccomp profile by prefixing them with a tilde (~). The seccomp action for these is then EACCES (since EPERM is the default for unmatched syscalls and seccomp doesn't allow to specify an action which is the same as the default). This then allows to specify to block various syscall argument combinations as expected, and so is used as the mechanism to fix CVE-2023-1523. Signed-off-by: Alex Murray <alex.murray@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 0e87906 - Browse repository at this point
Copy the full SHA 0e87906View commit details -
interfaces/seccomp: explicitly disallow the use of ioctl + TIOCLINUX
Fixes CVE-2023-1523 Signed-off-by: Alex Murray <alex.murray@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for c88f611 - Browse repository at this point
Copy the full SHA c88f611View commit details -
snap-seccomp-blacklist: also disallow the use of ioctl + TIOCLINUX
Fixes CVE-2023-1523 Signed-off-by: Alex Murray <alex.murray@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 997dbfd - Browse repository at this point
Copy the full SHA 997dbfdView commit details -
tests/main/snap-seccomp-blocks-tty-injection: spread test CVE-2023-1523
Add a spread test which exercises the two tty injection PoCs for both CVE-2023-1523 and CVE-2019-7303 Signed-off-by: Alex Murray <alex.murray@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 015190d - Browse repository at this point
Copy the full SHA 015190dView commit details -
cmd/snap-seccomp: Group similar variables together
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 5b8b1dd - Browse repository at this point
Copy the full SHA 5b8b1ddView commit details -
tests/main/snap-seccomp-blocks-tty-injection: fix shellcheck errors
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Configuration menu - View commit details
-
Copy full SHA for 7cefecb - Browse repository at this point
Copy the full SHA 7cefecbView commit details -
tests: fix snap-seccomp-blocks-tty-injection on partially confined sy…
…stems and on ubuntu core
Configuration menu - View commit details
-
Copy full SHA for 362f2db - Browse repository at this point
Copy the full SHA 362f2dbView commit details -
Configuration menu - View commit details
-
Copy full SHA for f890b2f - Browse repository at this point
Copy the full SHA f890b2fView commit details
Commits on May 26, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 371f7b5 - Browse repository at this point
Copy the full SHA 371f7b5View commit details