[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-panel-devel
Subject: Re: Playing with libseccomp
From: Martin_Gräßlin <mgraesslin () kde ! org>
Date: 2017-02-23 17:05:39
Message-ID: 76d104c2e439ab3b9a6d01cf33a784f0 () kde ! org
[Download RAW message or body]
Am 2017-02-19 13:17, schrieb Martin Gräßlin:
> But I'm not able to authenticate any more. The seccomp filter gets
> inherited to forked processes and cannot be disabled any more (the
> idea is that you cannot escape the sandbox). KScreenlocker forks+exec
> kcheckpass and that somehow opens a file in write mode for the pam
> interaction.
Some additional findings. kcheckpass fails by just activating seccomp
without any rules at all except allow all. With the help of
/var/log/auth.log I figured out that kcheckpass invokes unix_chkpwd
which is setuid and once seccomp is installed one isn't allowed to gain
more privs by e.g. forking into a setuid binary. So I start to
understand the problem ;-)
Cheers
Martin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic