From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <1458784008-16277-1-git-send-email-mic@digikod.net> References: <1458784008-16277-1-git-send-email-mic@digikod.net> Date: Thu, 24 Mar 2016 09:24:06 -0700 Message-ID: From: Kees Cook Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [kernel-hardening] Re: [RFC v1 00/17] seccomp-object: From attack surface reduction to sandboxing To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: linux-security-module , Andreas Gruenbacher , Andy Lutomirski , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Daniel Borkmann , David Drysdale , Eric Paris , James Morris , Jeff Dike , Julien Tinnes , Michael Kerrisk , Paul Moore , Richard Weinberger , "Serge E . Hallyn" , Stephen Smalley , Tetsuo Handa , Will Drewry , Linux API , "kernel-hardening@lists.openwall.com" List-ID: On Wed, Mar 23, 2016 at 6:46 PM, Micka=C3=ABl Sala=C3=BCn = wrote: > Hi, > > This series is a proof of concept (not ready for production) to extend se= ccomp > with the ability to check argument pointers of syscalls as kernel object = (e.g. > file path). This add a needed feature to create a full sandbox managed by > userland like the Seatbelt/XNU Sandbox or the OpenBSD Pledge. It was init= ially > inspired from a partial seccomp-LSM prototype [1] but has evolved a lot s= ince :) This is interesting! I'd really like to get argument inspection working. I'm going to spend some time examining this series more closely, but my initial reaction is that I'm suspicious of the ToCToU checking -- I'd rather there be no race at all. As for the bug-fixes, I'll get those pulled in now. Thanks! -Kees --=20 Kees Cook Chrome OS & Brillo Security