oss-sec mailing list archives
Re: Re: Dirty Frag: Universal Linux LPE
From: "Emily Shepherd" <emily () redcoat dev>
Date: Fri, 08 May 2026 20:02:48 +0100
On Fri May 8, 2026 at 6:50 PM BST, Greg Dahlman wrote:
PF/AF 1,2,10,16,17 are the ones that most people would use, with AF_VSOCK(40) as an exception that may be too noisy to log, along with bluetooth on desktops etc... IMHO, longer term, a bounding set in a text file in /etc of PF/AF families that can be used on a system is the more maintainable and robust solution in the end. socket() is just too tempting of an interface, with no real security boundaries unless it is device/file mediated. It should be blockable at the system level by PF/AF no matter if it is loading a module or is compiled in at the system level IMHO.
Fyi it is possible to block socket calls by AF/PF with seccomp.
If using the OCI schema for seccomp definitions, blocking calls to
socket and socketpair with AF_ALG looks like [1]:
```
{
"names": ["socket", "socketpair"],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 97,
"args": [
{
"index": 0,
"value": 38,
"op": "SCMP_CMP_EQ"
}
]
}
```
[1]: https://github.com/moby/profiles/issues/19
Emily
Current thread:
- Dirty Frag: Universal Linux LPE Hyunwoo Kim (May 07)
- Re: Dirty Frag: Universal Linux LPE Sandipan Roy (May 07)
- Re: Dirty Frag: Universal Linux LPE Greg KH (May 08)
- Re: Dirty Frag: Universal Linux LPE Greg KH (May 08)
- Re: Dirty Frag: Universal Linux LPE Greg KH (May 08)
- Re: Dirty Frag: Universal Linux LPE Bernhard R. Link (May 08)
- <Possible follow-ups>
- Re: Dirty Frag: Universal Linux LPE Daniel Tang (May 07)
- Re: Re: Dirty Frag: Universal Linux LPE Kalin KOZHUHAROV (May 08)
- Re: Re: Dirty Frag: Universal Linux LPE Greg Dahlman (May 08)
- Re: Re: Dirty Frag: Universal Linux LPE Emily Shepherd (May 08)
- Re: Re: Dirty Frag: Universal Linux LPE Kalin KOZHUHAROV (May 08)
- Re: Dirty Frag: Universal Linux LPE Sandipan Roy (May 07)