The inherent fragility of seccomp()

Posted Nov 15, 2017 0:34 UTC (Wed) by nix (subscriber, #2304)
In reply to: The inherent fragility of seccomp() by wahern
Parent article: The inherent fragility of seccomp()

Which brings up another benefit of pledge over seccomp--pledge doesn't require root privileges to invoke.

Neither does the installation of a seccomp filter, as long as you have done a prctl(PR_SET_NO_NEW_PRIVS, 1) first to ensure that you can't go invoking setuid programs, etc, later on. Heck, it was basically designed for Chromium's renderers, and no way are they run as root except by absolute lunatics :)

(This is how it avoids the old sendmail cap attack: setuid programs or their children can't be fooled into running with an unexpected seccomp filter installed before the setuid took effect, because installation of a filter requires turning permanently off the ability to invoke setuid programs in the process hierarchy that has the filter in force.)