-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter netlink families with seccomp #5116
Labels
enhancement
New feature request
Comments
Would make a nice enhancement. FWIW I always try to run apps without netlink via local overrides. Only in very rare cases it is actually needed. So, in other words, besides netlink filtering we could drop netlink from protocol for known 'good' applications too IMO. More of a note for future reference when doing PR's. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
AF_NETLINK
exposes a (huge) attack surface for the kernel. See #4013 (comment) and #4020 for previous discussions.cc @kris7t @glitsj16
Describe the solution you'd like
The socket syscall looks like
int socket(int domain, int type, int protocol);
. We already filter the first argument (domain
) withprotocol unix,inet,inet6,netlink
. To minimize the attack surface ofAF_NETLINK
we should filter the third/last argument (protocol
) if the first isAF_NETLINK
(netlink_socket = socket(AF_NETLINK, socket_type, netlink_family);
).Describe alternatives you've considered
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: