New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp bypass when joining existing jail #2718
Comments
This fails for me with Which version of firejail are you running? Which distro? |
|
Okay, so I can replicate with current release, but not with current git master. Is that the same for you @apmorton? |
|
confirmed, this is fixed on latest master. seccomp files are put in |
|
In the future, if you think you have found a security vulnerability (which this certainly would qualify as), you should probably follow the directions in the readme (i.e. email netblue30). |
|
@netblue30, this is fixed in git master, but apparently is an issue in the current release. How should we proceed? |
|
neither readme ( edit: just noticed in |
|
I'll add it to the README as well, since people might not think to look at CONTRIBUTING. |
|
@apmorton, if you're comfortable, can you bisect the commits to figure out which one solved this? We should probably back-port just that fix... |
|
It is commit eecf35c |
|
Thanks @smitsohu! Should we back-port to LTS and current release? |
|
@chiraag-nataraj We already have a new release candidate, and 0.9.58 will be replaced very soon anyways. LTS is a different story, imho it should be backported. What does @startx2017 think? |
|
What about getting a CVE assigned? |
|
|
this fine? |
More a side note: So far we as upstream only support the last version and LTS, and I tend to believe this is a wise decision. I'd say for earlier versions it is the maintainers job to backport fixes, in line with their respective distribution policy. |
|
@smitsohu |
|
I have done some backports here edit: attached as a zip for archival purposes |
|
asked MITRE for a CVE number |
|
Thanks @apmorton New release Monday morning. If you want to bring in any other fix, now is the time. If we don't get a CVE number by Monday, we'll add it later. I'll grab the patch from @SkewedZeppelin and add it in etc-fixes directory here on mainline. For LTS a new release probably sometime next week, there are some more fixes to be added there, I'll have to tak to @startx2017 . |
|
The RELNOTES should be updated, we have some new stuff like private-cwd or deterministic-exit-code and so on. |
|
RELNOTES done, anything missing just add it in. I'm doing some testing right now, tonight or tomorrow morning it should be out. |
|
@smitsohu Was there already a reply regarding CVE number? Edit: Did you use this form? https://cveform.mitre.org/ |
|
@reinerh We have no number assigned yet. Yes, I used the webform. I think I'm going to ask if there is something we can do on our end to speed up the process. |
|
@startx2017 started porting, we will have a LTS release by the end of the week with or without CVE. |
|
(FYI a backported fix is in Debian unstable since yesterday, together with a fix for #2401; and it has been unblocked for migration to Buster.) |
|
CVE-2019-12589 was assigned for this issue. |
|
LTS version also released, CVE status page updated - https://firejail.wordpress.com/download-2/cve-status/ |
seccomp filters are copied into
/run/firejail/mnt, and are writable within the jail.A malicious process can modify files from inside the jail.
Processes that are later joined to the jail will not have seccomp filters applied.
repro steps
compile program to call blacklisted syscall
create interactive jail session
try to run program inside jail, noting syscall is blocked
open new terminal and run program by joining jail, noting syscall is blocked
back in original interactive jail session, empty the seccomp.list file and attempt to run program, noting syscall is blocked
open new terminal and run program by joining jail, noting syscall is NOT blocked
The text was updated successfully, but these errors were encountered: