Differential D5029

Use seccomp for implementing a sandbox for kscreenlocker_greet
ClosedPublic
Actions

Authored by graesslin on Mar 12 2017, 4:17 PM.

Details

Reviewers

None

Group Reviewers

Plasma

Commits

R133:5e3c7b337c95: Use seccomp for implementing a sandbox for kscreenlocker_greet

Summary

This change introduces a new optional dependency on libseccomp.
Libseccomp allows to forbid syscalls. With that we can constrain the
user defined dynamically loaded QtQuick code from the look'n'feel
package and from the wallpaper package. The idea is to protect against
"malicious" packages the user manually installed.

With the installed seccomp filter we can ensure that the QtQuick code
cannot perform the following operations:

send password into Internet through forbidding the socket syscall
use KIO to send password into Internet through forbidding fork+exec
write password into a file through forbidding opening a file in write mode or creating a new file
send password to another process through forbidding pipe/pipe2

So far our QtQuick code was already constrained by disallowing network
access through injecting a QNetworkAccessManager which forbids internet
access. But this was easy to circumvent through e.g. KIO.

The seccomp filter cannot protect against a malicious process already
running on the system. The obvious way to get out of this sandbox is
DBus. DBus is allowed in the sandbox, thus it is possible for a malicious
look'n'feel package to communicate with a running malicious application
through DBus. To protect DBus we need to implement an additional apparmor
profile.

The seccomp filter gets only installed if the seccomp dependency is
available and kcheckpass is not setuid. This is ensured with a runtime
check. For kscreenlocker_greet the main change is that when seccomp is
enabled the delayed kcheckpass authentication method is used.

Test Plan

Manual testing and a new auto test which verifies the
restricted conditions.

Diff Detail

Branch

seccomp

Lint

No Linters Available

Unit

No Unit Test Coverage

graesslin created this revision.Mar 12 2017, 4:17 PM

Restricted Application added a project: Plasma. · View Herald TranscriptMar 12 2017, 4:17 PM

Restricted Application added a subscriber: plasma-devel. · View Herald Transcript

graesslin added dependencies: D4997: Support for long running kcheckpass supporting multiple authentications, D4806: [greeter] Send the auth result through the server instead return value.Mar 12 2017, 4:17 PM

Cool!

greeter/autotests/seccomp_test.cpp
95 ↗	(On Diff #12413)	set `QNetworkRequest::FollowRedirectsAttribute` or else Ben will get angry
greeter/greeterapp.cpp
148 ↗	(On Diff #12413)	Might lead to an unreachable code warning?

graesslin added inline comments.Mar 12 2017, 4:48 PM

greeter/autotests/seccomp_test.cpp
95 ↗	(On Diff #12413)	The point of this test is that the call doesn't work. See line 101. The seccomp filter disallows network access. No matter whether I use FollowRedirectsAttribute or not: kde.org will never see the request. And if not and Ben gets angry: even better, than we have a human auto test ;-)
greeter/greeterapp.cpp
148 ↗	(On Diff #12413)	why should it? The code looks quite reachable to me. If kcheckpass is setuid it uses the code from line 151.

broulik added inline comments.Mar 12 2017, 5:32 PM

greeter/autotests/seccomp_test.cpp
95 ↗	(On Diff #12413)	It might fail because KDE CI infrastructure does a redirect we don't follow instead of failing because we actually restricted it.
greeter/greeterapp.cpp
148 ↗	(On Diff #12413)	Yeah but it will lead to code in the form of return new Authenticator(Authenticator::AuthenticationMode::Delayed, this); return new Authenticator(Authenticator::AuthenticationMode::Direct, this); the latter being unreachable. Just being picky here, though, feel free to ignore.

graesslin added inline comments.Mar 12 2017, 7:43 PM

greeter/autotests/seccomp_test.cpp
95 ↗	(On Diff #12413)	I'm pretty sure that it would fail properly for the IP variants in such a case.
greeter/greeterapp.cpp
148 ↗	(On Diff #12413)	That is totally fine. Having different return values in different paths is quite common. E.g. an early exit with a return nullptr.

romangg added a subscriber: romangg.Apr 1 2017, 5:33 PM

romangg added inline comments.

greeter/seccomp_filter.cpp
41 ↗	(On Diff #12413)	Why not create it explicitly? Calling supportsThreadedOpenGL to do it seems like a hack.

graesslin added inline comments.Apr 2 2017, 7:12 AM

greeter/seccomp_filter.cpp
41 ↗	(On Diff #12413)	True, it's a hack. But creating a working gl context is nothing I want to do here and is nothing I can do in a way which ensures that it will work in all cases for Qt. This one method does exactly what we need. It creates a Gl context which works for Qt and destroys it again. Overall it means we can get rid of a few hundred lines of code. So I personally think that this hack is justified in this case.

Rebased on latest changes

Closed by commit R133:5e3c7b337c95: Use seccomp for implementing a sandbox for kscreenlocker_greet (authored by graesslin). · Explain WhyApr 19 2017, 3:43 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

		Path
M		CMakeLists.txt (9 lines)
A	M	cmake/FindSeccomp.cmake (80 lines)
M		config-kscreenlocker.h.cmake (1 line)
M		greeter/CMakeLists.txt (7 lines)
M		greeter/autotests/CMakeLists.txt (15 lines)
A	M	greeter/autotests/seccomp_test.cpp (106 lines)
M		greeter/greeterapp.h (6 lines)
M		greeter/greeterapp.cpp (21 lines)
M		greeter/main.cpp (11 lines)
A	M	greeter/seccomp_filter.h (36 lines)
A	M	greeter/seccomp_filter.cpp (84 lines)

Diff	ID	Base	Description	Created	Lint	Unit
Base			Base
Diff 1	12413	dffd44b		Mar 12 2017, 4:17 PM	★	★
Diff 2	13189	9ba20a5	Rebased on latest changes	Apr 7 2017, 2:01 PM	★	★
Diff 3	13604	07d38ba	R133:5e3c7b337c9525f6b427c06f1814938b0a161db8	Apr 19 2017, 3:41 PM	★	★

Commit	Tree	Parents	Author	Summary	Date
57df14483076	159261c7b818	9ba20a54a5ab	Martin Gräßlin	Use seccomp for implementing a sandbox for kscreenlocker_greet (Show More…)	Mar 11 2017, 12:15 PM

Status	Author	Revision
Closed	graesslin	D5029 Use seccomp for implementing a sandbox for kscreenlocker_greet
Closed	graesslin	D4997 Support for long running kcheckpass supporting multiple authentications
Closed	graesslin	D4806 [greeter] Send the auth result through the server instead return value
Closed	graesslin	D4785 Add a small test application for kcheckpass
Closed	graesslin	D4780 [kcheckpass] Drop the conv_legacy support
Closed	graesslin	D4773 [kcheckpass] Drop the caller command line option
Closed	graesslin	D4759 [kcheckpass] Drop command line option for username