Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2).

docs/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "April 28, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "May 4, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3314,8 +3314,11 @@ flag is enabled or the
 \fIINTERCEPT\fR
 tag has been set for the command.
 This flag is
-\fIon\fR
-by default.
+\fIoff\fR
+by default except on Linux systems that support
+seccomp(2)
+filtering, where it defaults to
+\fIon\fR.
 .sp
 This setting is only supported by version 1.9.8 or higher.
 .TP 18n

docs/sudoers.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd April 28, 2022
+.Dd May 4, 2022
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3130,8 +3130,11 @@ flag is enabled or the
 .Em INTERCEPT
 tag has been set for the command.
 This flag is
-.Em on
-by default.
+.Em off
+by default except on Linux systems that support
+.Xr seccomp 2
+filtering, where it defaults to
+.Em on .
 .Pp
 This setting is only supported by version 1.9.8 or higher.
 .It intercept_authenticate

plugins/sudoers/defaults.c

@@ -548,6 +548,8 @@ init_defaults(void)
 #endif
     if ((def_rlimit_core = strdup("0,0")) == NULL)
 	goto oom;
+    if (ISSET(sudo_user.flags, CAN_INTERCEPT_SETID))
+	def_intercept_allow_setid = true;
     def_netgroup_tuple = false;
     def_sudoedit_checkdir = true;
     def_iolog_mode = S_IRUSR|S_IWUSR;

plugins/sudoers/policy.c

@@ -297,6 +297,12 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 		goto oom;
 	    continue;
 	}
+	if (MATCHES(*cur, "intercept_setid=")) {
+	    if (parse_bool(*cur, sizeof("intercept_setid") - 1,
+		&sudo_user.flags, CAN_INTERCEPT_SETID) == -1)
+		goto bad;
+	    continue;
+	}
 #ifdef HAVE_SELINUX
 	if (MATCHES(*cur, "selinux_role=")) {
 	    CHECK(*cur, "selinux_role=");

plugins/sudoers/sudoers.h

@@ -145,6 +145,7 @@ struct sudo_user {
  */
 #define RUNAS_USER_SPECIFIED	0x01
 #define RUNAS_GROUP_SPECIFIED	0x02
+#define CAN_INTERCEPT_SETID	0x04
 
 /*
  * Return values for sudoers_lookup(), also used as arguments for log_auth()

src/exec_nopty.c

@@ -378,10 +378,7 @@ exec_nopty(struct command_details *details, struct command_status *cstat)
 	sudo_fatal("%s", U_("unable to create pipe"));
 
     if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_SUBCMDS)) {
-	if (have_seccomp_action("trap")) {
-	    /* Kernel supports the seccomp(2) filter "trap" action. */
-	    SET(details->flags, CD_USE_PTRACE);
-	} else {
+	if (!ISSET(details->flags, CD_USE_PTRACE)) {
 	    /*
 	     * Allocate a socketpair for communicating with sudo_intercept.so.
 	     * This must be inherited across exec, hence no FD_CLOEXEC.

src/exec_pty.c

@@ -1427,10 +1427,7 @@ exec_pty(struct command_details *details, struct command_status *cstat)
 	sudo_fatal("%s", U_("unable to create sockets"));
 
     if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_SUBCMDS)) {
-	if (have_seccomp_action("trap")) {
-	    /* Kernel supports the seccomp(2) filter "trap" action. */
-	    SET(details->flags, CD_USE_PTRACE);
-	} else {
+	if (!ISSET(details->flags, CD_USE_PTRACE)) {
 	    /*
 	     * Allocate a socketpair for communicating with sudo_intercept.so.
 	     * This must be inherited across exec, hence no FD_CLOEXEC.

src/parse_args.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1993-1996, 1998-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 1993-1996, 1998-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -52,61 +52,36 @@ static void usage_excl(void) __attribute__((__noreturn__));
 
 /*
  * Mapping of command line flags to name/value settings.
+ * Do not reorder, indexes must match ARG_ defines in sudo.h.
  */
 static struct sudo_settings sudo_settings[] = {
-#define ARG_BSDAUTH_TYPE 0
     { "bsdauth_type" },
-#define ARG_LOGIN_CLASS 1
     { "login_class" },
-#define ARG_PRESERVE_ENVIRONMENT 2
     { "preserve_environment" },
-#define ARG_RUNAS_GROUP 3
     { "runas_group" },
-#define ARG_SET_HOME 4
     { "set_home" },
-#define ARG_USER_SHELL 5
     { "run_shell" },
-#define ARG_LOGIN_SHELL 6
     { "login_shell" },
-#define ARG_IGNORE_TICKET 7
     { "ignore_ticket" },
-#define ARG_PROMPT 8
     { "prompt" },
-#define ARG_SELINUX_ROLE 9
     { "selinux_role" },
-#define ARG_SELINUX_TYPE 10
     { "selinux_type" },
-#define ARG_RUNAS_USER 11
     { "runas_user" },
-#define ARG_PROGNAME 12
     { "progname" },
-#define ARG_IMPLIED_SHELL 13
     { "implied_shell" },
-#define ARG_PRESERVE_GROUPS 14
     { "preserve_groups" },
-#define ARG_NONINTERACTIVE 15
     { "noninteractive" },
-#define ARG_SUDOEDIT 16
     { "sudoedit" },
-#define ARG_CLOSEFROM 17
     { "closefrom" },
-#define ARG_NET_ADDRS 18
     { "network_addrs" },
-#define ARG_MAX_GROUPS 19
     { "max_groups" },
-#define ARG_PLUGIN_DIR 20
     { "plugin_dir" },
-#define ARG_REMOTE_HOST 21
     { "remote_host" },
-#define ARG_TIMEOUT 22
     { "timeout" },
-#define ARG_CHROOT 23
     { "cmnd_chroot" },
-#define ARG_CWD 24
     { "cmnd_cwd" },
-#define ARG_ASKPASS 25
     { "askpass" },
-#define NUM_SETTINGS 26
+    { "intercept_setid" },
     { NULL }
 };
 
@@ -610,6 +585,8 @@ parse_args(int argc, char **argv, int *old_optind, int *nargc, char ***nargv,
 #ifdef ENABLE_SUDO_PLUGIN_API
     sudo_settings[ARG_PLUGIN_DIR].value = sudo_conf_plugin_dir_path();
 #endif
+    if (have_seccomp_action("trap"))
+	sudo_settings[ARG_INTERCEPT_SETID].value = "true";
 
     if (mode == MODE_HELP)
 	help();

src/sudo.c

@@ -863,6 +863,12 @@ command_info_to_details(char * const info[], struct command_details *details)
 	}
     }
 
+    if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_SUBCMDS)) {
+	/* Use ptrace(2) for intercept/log_subcmds if possible. */
+	if (sudo_settings[ARG_INTERCEPT_SETID].value != NULL)
+	    SET(details->flags, CD_USE_PTRACE);
+    }
+
     if (!ISSET(details->flags, CD_SET_EUID))
 	details->cred.euid = details->cred.uid;
     if (!ISSET(details->flags, CD_SET_EGID))

src/sudo.h

@@ -75,6 +75,35 @@
 #define MODE_NONINTERACTIVE	0x00800000
 #define MODE_LONG_LIST		0x01000000
 
+/* Indexes into sudo_settings[] args, must match parse_args.c. */
+#define ARG_BSDAUTH_TYPE	 0
+#define ARG_LOGIN_CLASS		 1
+#define ARG_PRESERVE_ENVIRONMENT 2
+#define ARG_RUNAS_GROUP		 3
+#define ARG_SET_HOME		 4
+#define ARG_USER_SHELL		 5
+#define ARG_LOGIN_SHELL		 6
+#define ARG_IGNORE_TICKET	 7
+#define ARG_PROMPT		 8
+#define ARG_SELINUX_ROLE	 9
+#define ARG_SELINUX_TYPE	10
+#define ARG_RUNAS_USER		11
+#define ARG_PROGNAME		12
+#define ARG_IMPLIED_SHELL	13
+#define ARG_PRESERVE_GROUPS	14
+#define ARG_NONINTERACTIVE	15
+#define ARG_SUDOEDIT		16
+#define ARG_CLOSEFROM		17
+#define ARG_NET_ADDRS		18
+#define ARG_MAX_GROUPS		19
+#define ARG_PLUGIN_DIR		20
+#define ARG_REMOTE_HOST		21
+#define ARG_TIMEOUT		22
+#define ARG_CHROOT		23
+#define ARG_CWD			24
+#define ARG_ASKPASS		25
+#define ARG_INTERCEPT_SETID	26
+
 /*
  * Flags for tgetpass()
  */
@@ -308,4 +337,7 @@ void unlimit_sudo(void);
 int serialize_rlimits(char **info, size_t info_max);
 bool parse_policy_rlimit(const char *str);
 
+/* exec_ptrace.c */
+bool have_seccomp_action(const char *action);
+
 #endif /* SUDO_SUDO_H */

src/sudo_exec.h

@@ -146,7 +146,6 @@ char **sudo_preload_dso(char *envp[], const char *dso_file, int intercept_fd);
 
 /* exec_ptrace.c */
 bool exec_ptrace_handled(pid_t pid, int status, void *intercept);
-bool have_seccomp_action(const char *action);
 bool set_exec_filter(void);
 int exec_ptrace_seize(pid_t child);