seccomp policy kills child on OpenSSL call
Task Info (Flyspray) | |
---|---|
Opened By | Kamil Lorenc (r4pt0r) |
Task ID | 67165 |
Type | Bug Report |
Project | Community Packages |
Category | Packages |
Version | None |
OS | All |
Opened | 2020-07-01 13:29:42 UTC |
Status | Assigned |
Assignee | Levente Polyak (anthraxx) |
Details
Description: When opening new encrypted connection, forked vsftpd is killed and following message is sent through socket: 500 OOPS: child died
vsftpd defines list of allowed syscalls. Calling syscall outside the list causes SIGSYS signal, which kills the process that gets the signal. It seems that lately OpenSSL started to use getrandom syscall during initialization of it random number generator. Solution is to patch vsftpd with addition of this syscall to whitelist. This can be done with following patch:
--- a/seccompsandbox.c 2020-07-01 12:42:02.286972777 +0200
+++ b/seccompsandbox.c 2020-07-01 12:42:34.671677119 +0200
@@ -335,6 +335,7 @@
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
allow_nr(__NR_getpid); /* Used by logging. */
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
+ allow_nr(__NR_getrandom); /* Used by OpenSSL in SSL_accept. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
/* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
* Also, sockets are O_RDWR.
Additional info:
-
vsftpd version 3.0.3-6
-
vsftpd.conf: ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES local_enable=YES
-
OpenSSL version 1.1.1.g-1
Steps to reproduce: Generate certificate as described on Arch Wiki, start vsftpd from root command line and attempt connecting with e.g. FileZilla.