D5029: Use seccomp for implementing a sandbox for kscreenlocker_greet

Martin Gräßlin noreply at phabricator.kde.org
Sun Mar 12 16:17:24 UTC 2017 

graesslin created this revision.
Restricted Application added a project: Plasma.
Restricted Application added a subscriber: plasma-devel.

REVISION SUMMARY
  This change introduces a new optional dependency on libseccomp.
  Libseccomp allows to forbid syscalls. With that we can constrain the
  user defined dynamically loaded QtQuick code from the look'n'feel
  package and from the wallpaper package. The idea is to protect against
  "malicious" packages the user manually installed.
  
  With the installed seccomp filter we can ensure that the QtQuick code
  cannot perform the following operations:
  
  - send password into Internet through forbidding the socket syscall
  - use KIO to send password into Internet through forbidding fork+exec
  - write password into a file through forbidding opening a file in write mode or creating a new file
  - send password to another process through forbidding pipe/pipe2
  
  So far our QtQuick code was already constrained by disallowing network
  access through injecting a QNetworkAccessManager which forbids internet
  access. But this was easy to circumvent through e.g. KIO.
  
  The seccomp filter cannot protect against a malicious process already
  running on the system. The obvious way to get out of this sandbox is
  DBus. DBus is allowed in the sandbox, thus it is possible for a malicious
  look'n'feel package to communicate with a running malicious application
  through DBus. To protect DBus we need to implement an additional apparmor
  profile.
  
  The seccomp filter gets only installed if the seccomp dependency is
  available and kcheckpass is not setuid. This is ensured with a runtime
  check. For kscreenlocker_greet the main change is that when seccomp is
  enabled the delayed kcheckpass authentication method is used.

TEST PLAN
  Manual testing and a new auto test which verifies the
  restricted conditions.

BRANCH
  seccomp

REVISION DETAIL
  https://phabricator.kde.org/D5029

AFFECTED FILES
  CMakeLists.txt
  cmake/FindSeccomp.cmake
  config-kscreenlocker.h.cmake
  greeter/CMakeLists.txt
  greeter/autotests/CMakeLists.txt
  greeter/autotests/seccomp_test.cpp
  greeter/greeterapp.cpp
  greeter/greeterapp.h
  greeter/main.cpp
  greeter/seccomp_filter.cpp
  greeter/seccomp_filter.h

To: graesslin, #plasma
Cc: plasma-devel, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20170312/04926642/attachment-0001.html>

More information about the Plasma-devel mailing list