[avahi] Patch to add secure computing (seccomp) support to avahi-daemon

[Andrew Griffiths]

Hello,

The attached patch restricts what system calls the main avahi process and chroot helper process can make by utilizing the seccomp kernel feature. This patch uses the libseccomp library to handle creating the rules and restricting the process. Currently, it doesn't exit if the applying the restrictions fail - there may be older kernels which don't have seccomp, or the kernel they're using doesn't enable that feature.

The benefit to using seccomp is that by restricting the system calls the processes are allowed to make reduces the chances of being able to break out of the existing chroot jail mechanism by various means, and reduces the attack surface available if an attacker were to use kernel exploit/s.

It "works-for-me" when running the daemon and interacting it with avahi-browse - if you have any issues with it, I can take a look to see if any other system calls are required to be added. It's currently set to kill the process with SIGSYS - perhaps a bit rude, it might be a better idea to return EPERM with SCMP_ACT_ERRNO(EPERM) at a later date once once everything seems to work fine. That said, "Bad System Call" is a very good indicator of what went wrong.

Seccomp support can be verified by checking the 'Seccomp' flag in /proc/pid/status - if it's activated, it will say

Seccomp:	2

Determining what kernel system calls need to be added can be done by strace'ing the daemon with seccomp enabled, and comparing the the results with seccomp disabled (by --no-seccomp), then adding/modifying the appropriate lines as applicable.

Thanks,
Andrew Griffiths

-------------- next part --------------
A non-text attachment was scrubbed...
Name: avahi_seccomp.diff
Type: text/x-patch
Size: 19070 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/avahi/attachments/20140610/985c062f/attachment.bin>