PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters
Posted Oct 1, 2019 20:07 UTC (Tue) by rweikusat2 (subscriber, #117920)In reply to: PostgreSQL considers seccomp() filters by Cyberax
Parent article: PostgreSQL considers seccomp() filters
[*] Execute arbitrary code in the context of a database server process is a pretty devastating "security breach" in its own right. If this happens, the organisation on whose behalf the database server was running is going to get some serious and possibly even very public problems (eg, as in "all our customer information just got published on the internet").
Posted Oct 1, 2019 21:03 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link]
> hence, there's no reason to assume that any particular subset of the available system calls is 'safer' than any other subset.
Posted Oct 2, 2019 18:35 UTC (Wed)
by nivedita76 (subscriber, #121790)
[Link] (4 responses)
Posted Oct 2, 2019 21:19 UTC (Wed)
by rweikusat2 (subscriber, #117920)
[Link] (3 responses)
There's some outright paradoxical reasoning in here: seccomp is supposed to defend against the issue that it's conjectured to be impossible to determine if the implementation of a given system call is free of exploitable errors but in order to use seccomp sensibly, ie not in a "fire a shotgun in the dark at hope that some of the projectiles hit something" mode of operation, this very information would need to be known.
The best one could sensibly use this for is to block access to system calls known to be exploitable until a fix becomes available. Or for its original purpose: Run unknown code in a sandbox which is supposed to be prohibited from doing certain things, eg, most file system manipulations.
Posted Oct 2, 2019 22:21 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
> There's some outright paradoxical reasoning in here: seccomp is supposed to defend against the issue that it's conjectured to be impossible to determine if the implementation of a given system call is free of exploitable errors
Note the word "probability". This is not prevention, it's mitigation.
History shows that this approach actually works in practice. Even the misguided SELinux has prevented multiple exploitable bugs.
Posted Oct 3, 2019 17:04 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link] (1 responses)
Posted Oct 4, 2019 8:43 UTC (Fri)
by cyphar (subscriber, #110703)
[Link]
(As an aside, note that Docker doesn't user user namespaces by default, LXC has been protected against even more exploits. But that's a very different topic.)
Posted Oct 25, 2019 5:42 UTC (Fri)
by ssmith32 (subscriber, #72404)
[Link]
Perhaps, but perhaps not.
Either way, though, the whole point of having people familiar with a particular code base make a list of system calls that they, to the best of their knowledge, is not needed, and are known to give their caller unnecessary privileges, is a way of adding "further information"
And, your assumption now being incorrect, the reasoning based on it should be reworked.
PostgreSQL considers seccomp() filters
Indeed. And that's the main motivator for seccomp filtering, to make sure that as little kernel is exposed to a potential attacker as possible.
Not quite. Objectively some system calls are exercised much less than others. Additionally, some system calls make no sense at all for Postgres (e.g. vm86) and but present a clear threat because they exercise rarely used codepaths and hardware paths.
PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters
This is just nonsense. Reducing amount of code exposed to attacker reduces the chances that an exploitable bug will be accessible to them.
You clearly live in a fantasy world. The seccomp sandboxing is designed to prevent access to as much of the attack surface as possible. This automatically makes sure that the probability of an exploit goes down.
PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters