Permalink
Browse files

security fix

  • Loading branch information...
1 parent d37421f commit 6b8dba29d73257311564ee7f27b9b14758cc693e @netblue30 committed Jan 6, 2017
Showing with 25 additions and 1 deletion.
  1. +3 −0 RELNOTES
  2. +19 −0 src/firejail/main.c
  3. +3 −1 src/man/firejail.txt
View
@@ -1,5 +1,8 @@
firejail (0.9.44.3) baseline; urgency=low
* development version
+ * security: disabled --allow-debuggers when running on kernel
+ versions prior to 4.8; a kernel bug in ptrace system call
+ allows a full bypass of seccomp filter; problem reported by Lizzie Dixon
* security: root exploit found by Sebastian Krahmer
-- netblue30 <netblue30@yahoo.com> Wed, 4 Jan 2017 11:00:00 -0500
View
@@ -35,6 +35,7 @@
#include <signal.h>
#include <time.h>
#include <net/if.h>
+#include <sys/utsname.h>
#if 0
#include <sys/times.h>
@@ -802,6 +803,24 @@ static void detect_allow_debuggers(int argc, char **argv) {
// detect --allow-debuggers
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "--allow-debuggers") == 0) {
+ // check kernel version
+ struct utsname u;
+ int rv = uname(&u);
+ if (rv != 0)
+ errExit("uname");
+ int major;
+ int minor;
+ if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+ fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+ exit(1);
+ }
+ if (major < 4 || (major == 4 && minor < 8)) {
+ fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+ "A bug in ptrace call allows a full bypass of the seccomp filter. "
+ "Your current kernel version is %d.%d.\n", major, minor);
+ exit(1);
+ }
+
arg_allow_debuggers = 1;
break;
}
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
Signal the end of options and disables further option processing.
.TP
\fB\-\-allow-debuggers
-Allow tools such as strace and gdb inside the sandbox.
+Allow tools such as strace and gdb inside the sandbox. This option is only available
+when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full
+bypass of the seccomp filter.
.br
.br

0 comments on commit 6b8dba2

Please sign in to comment.