1. 30 Aug, 2017 1 commit
    • Martin Flöser's avatar
      Don't dissallow open with write flag syscall on NVIDIA · 2136a38d
      Martin Flöser authored
      Summary:
      The latest NVIDIA driver crashes the greeter due to our seccomp enabled
      sandbox being too restrictive. The driver is now opening files for
      writing after our dummy context got created and this causes a crash. In
      order to provide our users a working system again we better disable the
      seccomp rule for NVIDIA users for the time being.
      
      To detect whether an NVIDIA driver is used I copied the glplatform from
      KWin which is known to work and more reliable than writing new custom
      code even if it's a code copy. For master I'll look into splitting that
      one out from KWin and putting it into a dedicated library so that we can
      link it.
      
      This of course means that the seccomp based sandbox is now incomplete
      for NVIDIA users. An idea is to add an additional apparmor rule in
      master to enforce the write restrictions in similar way without forcing
      it for /dev.
      
      BUG: 384005
      
      Test Plan: I don't have an NVIDIA
      
      Reviewers: #plasma
      
      Subscribers: plasma-devel
      
      Tags: #plasma
      
      Differential Revision: https://phabricator.kde.org/D7616
      2136a38d
  2. 19 Apr, 2017 1 commit
    • Martin Flöser's avatar
      Use seccomp for implementing a sandbox for kscreenlocker_greet · 5e3c7b33
      Martin Flöser authored
      Summary:
      This change introduces a new optional dependency on libseccomp.
      Libseccomp allows to forbid syscalls. With that we can constrain the
      user defined dynamically loaded QtQuick code from the look'n'feel
      package and from the wallpaper package. The idea is to protect against
      "malicious" packages the user manually installed.
      
      With the installed seccomp filter we can ensure that the QtQuick code
      cannot perform the following operations:
      * send password into Internet through forbidding the socket syscall
      * use KIO to send password into Internet through forbidding fork+exec
      * write password into a file through forbidding opening a file in
       write mode or creating a new file
      * send password to another process through forbidding pipe/pipe2
      
      So far our QtQuick code was already constrained by disallowing network
      access through injecting a QNetworkAccessManager which forbids internet
      access. But this was easy to circumvent through e.g. KIO.
      
      The seccomp filter cannot protect against a malicious process already
      running on the system. The obvious way to get out of this sandbox is
      DBus. DBus is allowed in the sandbox, thus it is possible for a malicious
      look'n'feel package to communicate with a running malicious application
      through DBus. To protect DBus we need to implement an additional apparmor
      profile.
      
      The seccomp filter gets only installed if the seccomp dependency is
      available and kcheckpass is not setuid. This is ensured with a runtime
      check. For kscreenlocker_greet the main change is that when seccomp is
      enabled the delayed kcheckpass authentication method is used.
      
      Test Plan:
      Manual testing and a new auto test which verifies the
      restricted conditions.
      
      Reviewers: #plasma
      
      Subscribers: plasma-devel
      
      Tags: #plasma
      
      Differential Revision: https://phabricator.kde.org/D5029
      5e3c7b33