search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.68k stars 556 forks source link

Filter netlink families with seccomp #5116

Open rusty-snake opened 2 years ago

rusty-snake commented 2 years ago

Is your feature request related to a problem? Please describe.

AF_NETLINK exposes a (huge) attack surface for the kernel. See https://github.com/netblue30/firejail/issues/4013#issuecomment-786780504 and #4020 for previous discussions.

cc @kris7t @glitsj16

Describe the solution you'd like

The socket syscall looks like int socket(int domain, int type, int protocol);. We already filter the first argument (domain) with protocol unix,inet,inet6,netlink. To minimize the attack surface of AF_NETLINK we should filter the third/last argument (protocol) if the first is AF_NETLINK (netlink_socket = socket(AF_NETLINK, socket_type, netlink_family);).

protocol unix,inet,inet6,netlink
protocol.netlink netfilter,audit,generic,route,...

Describe alternatives you've considered

N/A

Additional context

N/A

glitsj16 commented 2 years ago

Would make a nice enhancement. FWIW I always try to run apps without netlink via local overrides. Only in very rare cases it is actually needed. So, in other words, besides netlink filtering we could drop netlink from protocol for known 'good' applications too IMO. More of a note for future reference when doing PR's.