-
-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression in CVE-2021-41133 fixes: While trying to apply extra data: Failed to block syscall 442 #4458
Comments
Debian testing/unstable, with kernel 5.14.9-2 and libseccomp 2.5.2-2, is OK. |
I think what's happening here is that adding seccomp rules fails if non-native architectures are allowed (so this will break extra-data, and also apps that allow non-native syscalls like Steam) and we are trying to block a syscall that libseccomp doesn't know about. We can block a syscall by its native syscall number for the current architecture, even if the syscall is not known to libseccomp; but if we have enabled multiarch, Making the seccomp filter into an allowlist instead of a denylist (which we want to do anyway, as security hardening) would solve this, but I don't know libseccomp well enough to work out how best to do that. |
Is that really true? It seems to me that arch_syscall_translate() failing will return EFAULT, which is specifically ignored by flatpak as:
|
Notice that it says |
If we fail to block the i386 version of a recently-added syscall, then we're potentially reintroducing CVE-2021-41133 for users with a newer kernel than their libseccomp, for example Debian 11 users with a backported Debian 12 kernel (which is quite a common thing to do for newer hardware support). |
Looking at this, I think you're right that the intention was to say r != -EFAULT. Can you try if that fixes it for you? I agree however, that this is sub-optimal in terms of security. |
Not trivially, I don't have a permanent development environment for all these older distros. I'll try to get a test-build done but it is going to take a little while. |
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com>
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com>
Maybe you already saw, but there is a runc commit linked to from the moby commit you linked in the flatpak source, and they seem to have managed to implement an allowlist by returning ENOSYS for syscall numbers higher than the highest one defined: As pointed out in their commit and source comment, there are various caveats and limitations, but it might still be better than a blocklist. (I'm not suggesting that translating that prior art into C code for Flatpak is easy, just wanted to point that out in case you didn't see.) |
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: #4458 Signed-off-by: Simon McVittie <smcv@collabora.com>
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: #4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6)
Sorry, writing code to output raw BPF is way outside my knowledge - I'm already having to learn libseccomp as I go (which probably makes me not an ideal person to be implementing this security boundary, but hopefully I'm better than nothing). If you want to try their approach, please go ahead, but it is not something that I will be able to help you with. |
See also seccomp/libseccomp#11 and seccomp/libseccomp#286 which seem to be attempts to solve this in libseccomp. (Although each of those two issues suggests that the other one is the real solution...) |
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: #4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com>
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com>
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: #4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d419fa6) (cherry picked from commit 270701f) (cherry picked from commit a0055e4)
The error-handling here was if (r < 0 && r == -EFAULT) but Alex says it was almost certainly intended to be if (r < 0 && r != -EFAULT) so that syscalls not known to libseccomp are not a fatal error. Instead of literally making that change, emit a debug message on -EFAULT so we can see what is going on. This temporarily weakens our defence against CVE-2021-41133 (GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed version of libseccomp does not know about the recently-added syscalls, but the kernel does, then we will not prevent non-native executables from using those syscalls. Resolves: flatpak#4458 Signed-off-by: Simon McVittie <smcv@collabora.com>
Linux distribution and version
Debian 11 (kernel
5.10.46-4
, libseccomp2.5.1-1
); Ubuntu 20.04 (kernel5.11.0-27.29~20.04.1
, libseccomp2.5.1-1ubuntu1~20.04.1
)Flatpak version
1.12.0
Description of the problem
Installing extensions that have extra data (openh264, NVIDIA) fails with:
Steps to reproduce
flatpak
from the PPA on a fresh Ubuntu 20.04 VM (the live desktop session will do)org.gnome.Weather
The text was updated successfully, but these errors were encountered: