Playing with libseccomp
Martin Gräßlin
mgraesslin at kde.org
Thu Feb 23 17:05:39 UTC 2017
Am 2017-02-19 13:17, schrieb Martin Gräßlin:
> But I'm not able to authenticate any more. The seccomp filter gets
> inherited to forked processes and cannot be disabled any more (the
> idea is that you cannot escape the sandbox). KScreenlocker forks+exec
> kcheckpass and that somehow opens a file in write mode for the pam
> interaction.
Some additional findings. kcheckpass fails by just activating seccomp
without any rules at all except allow all. With the help of
/var/log/auth.log I figured out that kcheckpass invokes unix_chkpwd
which is setuid and once seccomp is installed one isn't allowed to gain
more privs by e.g. forking into a setuid binary. So I start to
understand the problem ;-)
Cheers
Martin
More information about the Plasma-devel
mailing list