Skip to content

BUG: Handling of multiple syscall arguments incorrect (CVE-2017-18367) #22

Closed
@mheon

Description

@mheon

Issue originally identified at moby/moby#32714

Presently, when adding a rule with multiple syscall arguments, we add each argument separately with a separate call to seccomp_rule_add_array and a single syscall specified. This produces an OR relationship between the arguments - IE, we will match if any of the arguments match.

However, using libseccomp directly, adding multiple rules at the same time with a single API call will result in an AND relationship - the rule will only match if all of the arguments match.

Matching the behavior of the library is important, and at present use cases requiring ANDing syscall rules are not supported.

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions