clinuxseccomp

Why after load seccomp filter, PING will no work by normal user

I use seccomp record 'ping' used syscall. When I run it, it always notice

socket: Operation not permitted.

I can run ping in bash very well, but no work after load seccomp filter in program.

But if I run the same program by root, it will run very well.

This is running in Ubuntu 18.04 with 4.15.0-54-generic kernel.

I have tried use Root user to run the program, then in the child progress, I use setuid(1000) to set to a normal user, and it still no work.

If I not use fork, it still notice no premitted.

If I change the seccomp default action to SCMP_ACT_ALLOW, it still no work too.

Here is a simple code by C.

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/resource.h>
#include <sys/time.h>
#include <signal.h>
#include <seccomp.h>
#include <unistd.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/wait.h>

void child() {
        setuid(1000);
        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_LOG);

        if (seccomp_load(ctx) != 0) {
                printf("SCMP LAOD ERR!");
        } else {
                seccomp_release(ctx);
        }
        execl("/bin/ping", "ping", "-c", "1", "172.16.1.1", NULL);
        printf("EXEC FAIL");
}
int main(){

        int p = fork();
        if (p < 0) {
                printf("Frok ERROR!");
                exit(1);
        }
        if ( p == 0 ) {
                child();
        } else {
                struct rusage usage;
                int status;
                if (wait4(p, &status, WSTOPPED, &usage) == -1) {
                        kill(p, SIGKILL);
                }
        }
}

I use gcc main.c -o main.out -lseccomp to compile it.

English is not my first Language, I'm sorry about my grammar.

Solution

  • ping only works as root. Normally it runs as root because it has the setuid bit set in its file permissions:

    -rwsr-xr-x 1 root root 44168 May  8  2014 /bin/ping
   ^         ^^^^
   |
this 's' is called 'setuid' and means it wants to run as the user which owns it, which is root

    You cannot use seccomp unless you are root, or you set the no_new_privs flag. You are not using seccomp directly, but through a library. It appears the library is setting the flag for you.

    The no_new_privs flag means that you cannot run setuid programs. Well, you can run them, but they won't be setuid. They'll run as your user. Which doesn't have permission to send special packets the way ping requires. So ping fails because it doesn't have permission to ping.