many: introduce seccomp denylist to block ioctl with TIOCLINUX to fix CVE-2023-1523 #12849

snap-seccomp has always implemented an allow-list approach to syscalls - such that the listed syscalls are allowed and any non-listed will get blocked. However, in the case where we want to disallow a syscall with particular arguments, it is only possible to block one instance of the sycall with a given argument. If a second similar rule is added, each rule effectively allows the other and so neither get disallowed as a result. So introduce the concept of explicitly denying system calls listed in the seccomp profile by prefixing them with a tilde (~). The seccomp action for these is then EACCES (since EPERM is the default for unmatched syscalls and seccomp doesn't allow to specify an action which is the same as the default). This then allows to specify to block various syscall argument combinations as expected, and so is used as the mechanism to fix CVE-2023-1523. Signed-off-by: Alex Murray <alex.murray@canonical.com>

Fixes CVE-2023-1523 Signed-off-by: Alex Murray <alex.murray@canonical.com>

Add a spread test which exercises the two tty injection PoCs for both CVE-2023-1523 and CVE-2019-7303 Signed-off-by: Alex Murray <alex.murray@canonical.com>

Signed-off-by: Alex Murray <alex.murray@canonical.com>

…stems and on ubuntu core

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

many: introduce seccomp denylist to block ioctl with TIOCLINUX to fix CVE-2023-1523 #12849

many: introduce seccomp denylist to block ioctl with TIOCLINUX to fix CVE-2023-1523 #12849

Commits on May 25, 2023

Commits on May 26, 2023