dhcpcd-discuss

On 29/10/2020 17:26, shibe@xxxxxxx wrote:
> Currently, syscall whitelist is hardcoded into the program. This can work reliably only if:
> 1. the program does all syscalls directly, or
> 2. the program requires certain versions and configurations of all relevant software (like libc and kernel).
>   
> The part of dhcpcd to which the syscall filter is applied uses library calls, and thus it can and does fail when libraries (or kernel) are updated or recompiled with different options. It can also fail on some architectures.
>   
> Please consider making syscall filters configurable or delegating this functionality to external programs. For example, systemd has some syscall filtering functionality.

These are all valid points.
However, if OpenBSD makes plege more granular or FreeBSD adds more to the global 
syscall deny list then it has the same effect as they are hard coded also - just 
outside of dhcpcd.

The Linux case is only more troublesome because libc can implement things in 
different ways and different CPU's expose different syscalls.

Currently Linux SECCOMP is only enabled if privsep support is compiled into 
dhcpcd - which is the default. However, if the privsep user is not found OR the 
privsep users home directory is NOT a valid directory, then privsep is not used 
- in effect disabling SECCOMP.

The big problem with Linux, OpenBSD and Solaris is that their poll(2) 
implementations do not work when setting resource limit RLIMIT_NOFILE to 0.
OpenBSD isn't really a problem as such thanks to pledge(2).
Solaris doesn't work with privsep yet.
For other OS such as NetBSD and DragonFly the resource limiting works, BPF has 
locked write filtering and all other network transmissions are filtered as RS, 
DHCP or DHCPv6 packets in the root process. And if you can get there then all 
filtering is off anyway and you're toast (but this also applies to all OS).

So then it comes down to Linux.

Without syscall filtering an attacker could exploit a bug in dhcpcd and an open 
a socket to anywhere and write to it.
It could be argued that because DHCP requires AF_PACKET sockets on Linux to 
effectively work and these have no write filtering it's a moot point.#

So presently there is a compile time option to turn it off.
There is a non obvious way of turning it off at runtime as well.
I would hope that system packagers would test dhcpcd before blindly comitting it 
for their downstreams to use.

So for the time being at least, I will deny this request.

Tnanks

Roy