[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-panel-devel
Subject:    Re: Playing with libseccomp
From:       Martin_Gräßlin <mgraesslin () kde ! org>
Date:       2017-02-23 17:05:39
Message-ID: 76d104c2e439ab3b9a6d01cf33a784f0 () kde ! org
[Download RAW message or body]

Am 2017-02-19 13:17, schrieb Martin Gräßlin:
> But I'm not able to authenticate any more. The seccomp filter gets
> inherited to forked processes and cannot be disabled any more (the
> idea is that you cannot escape the sandbox). KScreenlocker forks+exec
> kcheckpass and that somehow opens a file in write mode for the pam
> interaction.

Some additional findings. kcheckpass fails by just activating seccomp 
without any rules at all except allow all. With the help of 
/var/log/auth.log I figured out that kcheckpass invokes unix_chkpwd 
which is setuid and once seccomp is installed one isn't allowed to gain 
more privs by e.g. forking into a setuid binary. So I start to 
understand the problem ;-)

Cheers
Martin
[prev in list] [next in list] [prev in thread] [next in thread]