Filter netlink families with seccomp #5116
Labels
enhancement
New feature request
Comments
|
Would make a nice enhancement. FWIW I always try to run apps without netlink via local overrides. Only in very rare cases it is actually needed. So, in other words, besides netlink filtering we could drop netlink from protocol for known 'good' applications too IMO. More of a note for future reference when doing PR's. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
AF_NETLINKexposes a (huge) attack surface for the kernel. See #4013 (comment) and #4020 for previous discussions.cc @kris7t @glitsj16
Describe the solution you'd like
The socket syscall looks like
int socket(int domain, int type, int protocol);. We already filter the first argument (domain) withprotocol unix,inet,inet6,netlink. To minimize the attack surface ofAF_NETLINKwe should filter the third/last argument (protocol) if the first isAF_NETLINK(netlink_socket = socket(AF_NETLINK, socket_type, netlink_family);).Describe alternatives you've considered
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: