graesslin created this revision. Restricted Application added a project: Plasma. Restricted Application added a subscriber: plasma-devel.
REVISION SUMMARY This change introduces a new optional dependency on libseccomp. Libseccomp allows to forbid syscalls. With that we can constrain the user defined dynamically loaded QtQuick code from the look'n'feel package and from the wallpaper package. The idea is to protect against "malicious" packages the user manually installed. With the installed seccomp filter we can ensure that the QtQuick code cannot perform the following operations: - send password into Internet through forbidding the socket syscall - use KIO to send password into Internet through forbidding fork+exec - write password into a file through forbidding opening a file in write mode or creating a new file - send password to another process through forbidding pipe/pipe2 So far our QtQuick code was already constrained by disallowing network access through injecting a QNetworkAccessManager which forbids internet access. But this was easy to circumvent through e.g. KIO. The seccomp filter cannot protect against a malicious process already running on the system. The obvious way to get out of this sandbox is DBus. DBus is allowed in the sandbox, thus it is possible for a malicious look'n'feel package to communicate with a running malicious application through DBus. To protect DBus we need to implement an additional apparmor profile. The seccomp filter gets only installed if the seccomp dependency is available and kcheckpass is not setuid. This is ensured with a runtime check. For kscreenlocker_greet the main change is that when seccomp is enabled the delayed kcheckpass authentication method is used. TEST PLAN Manual testing and a new auto test which verifies the restricted conditions. BRANCH seccomp REVISION DETAIL https://phabricator.kde.org/D5029 AFFECTED FILES CMakeLists.txt cmake/FindSeccomp.cmake config-kscreenlocker.h.cmake greeter/CMakeLists.txt greeter/autotests/CMakeLists.txt greeter/autotests/seccomp_test.cpp greeter/greeterapp.cpp greeter/greeterapp.h greeter/main.cpp greeter/seccomp_filter.cpp greeter/seccomp_filter.h To: graesslin, #plasma Cc: plasma-devel, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol
