From 0f862c2c5e8aafec9f5bfda245ea4f972b51268c Mon Sep 17 00:00:00 2001 From: Mildred Ki'Lya Date: Thu, 14 Dec 2023 02:07:31 +0100 Subject: [PATCH] improvements --- README.md | 10 ++++------ main.c | 9 ++++++--- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 1c8d553..8f2a57d 100644 --- a/README.md +++ b/README.md @@ -36,14 +36,12 @@ Known bugs ---------- - ptrace can mess up and can make syscalls return -ENOSYS (no implemented) -- parent process always exits with status 0 in seccomp-only mode (seccomp daemon - should pass exit status to parent process) - if the process close a systemd activated socket and opens a new socket on the same file descriptor number that is not catched by force-bind, then the subsequent listen() calls will be skipped -- security issue: race condition when replacing the network address causing a - malicious program to bind an otherwise forbidden address. Can be solved with - pidfd_getfd. +- security issue: the target process could bypass the force-bind policy using a + race condition when replacing the network address. If timed correctly, it can + bind an otherwise forbidden address. Can be solved with pidfd_getfd. - When the file descriptors are not passed by systemd (the service is started while the socket was not active for example), force-bind should let the process bind() and listen() normally @@ -55,7 +53,7 @@ TODO: - Allow to bind to hostnames which can resolve to multiple IP addresses which is made possible by pidfd_getfd. `getaddrinfo2()` results should be checked for a next address in `res->ai_next`. -- Allot to block a find matching a specific address. +- Allow to block a find matching a specific address. History ------- diff --git a/main.c b/main.c index eea3b4c..ae144a1 100644 --- a/main.c +++ b/main.c @@ -1399,8 +1399,7 @@ main(int argc, char *argv[]) /* Create a child process--the "target"--that installs seccomp filtering. The target process writes the seccomp notification file descriptor - onto 'sockPair[0]' and then calls mkdir(2) for each directory in the - command-line arguments. */ + onto 'sockPair[0]' and then exec with the command-line arguments. */ targetPid = targetProcess(sockPair, &argv[optind], &opts); @@ -1432,13 +1431,17 @@ main(int argc, char *argv[]) /* Wait for the target process to terminate */ - waitpid(targetPid, NULL, 0); + int status; + waitpid(targetPid, &status, 0); if(opts.debug) printf("Parent: target process has terminated\n"); /* After the target process has terminated, kill the tracer process */ if(opts.debug) printf("Parent: killing tracer\n"); kill(tracerPid, SIGTERM); + + if (!WIFEXITED(status)) exit(EXIT_FAILURE); + exit(WEXITSTATUS(status)); } exit(EXIT_SUCCESS);