From mboxrd@z Thu Jan 1 00:00:00 1970 From: Will Drewry Subject: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF Date: Thu, 12 Jan 2012 16:18:46 -0600 Message-ID: References: <1326302710-9427-1-git-send-email-wad@chromium.org> <1326302710-9427-2-git-send-email-wad@chromium.org> <1326383015.7642.77.camel@gandalf.stny.rr.com> <20120112161418.GA22360@redhat.com> <1326386324.7642.96.camel@gandalf.stny.rr.com> <20120112173048.GK7180@jl-vm1.vm.bytemark.co.uk> <1326390006.7642.114.camel@gandalf.stny.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Jamie Lokier , Oleg Nesterov , linux-kernel@vger.kernel.org, keescook@chromium.org, john.johansen@canonical.com, serge.hallyn@canonical.com, coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com, djm@mindrot.org, torvalds@linux-foundation.org, segoon@openwall.com, jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com, penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, luto@mit.edu, mingo@elte.hu, akpm@linux-foundation.org, khilman@ti.com, borislav.petkov@amd.com, amwang@redhat.com, ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de, dhowells@redhat.com, daniel.lezcano@free.fr, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, olofj@chromium.org, mhalcrow@google.com, dlaor@redhat.com To: Steven Rostedt , Alan Cox Return-path: In-Reply-To: <1326390006.7642.114.camel@gandalf.stny.rr.com> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Thu, Jan 12, 2012 at 11:40 AM, Steven Rostedt = wrote: > On Thu, 2012-01-12 at 17:30 +0000, Jamie Lokier wrote: > >> You can do this now, using ptrace(). =A0It's horrible, but half of t= he >> horribleness is needing to understand machine-dependent registers, >> which this new patch doesn't address. =A0(The other half is a ton of >> undocumented but important ptrace() behaviours on Linux.) > > Yeah I know the horrid use of ptrace, I've implemented programs that = use > it :-p > > I guess ptrace can capture the execv and determine if it is OK or not= to > run it. But again, this doesn't stop the possible attacks that could > happen, with having the execv on a symlink file, having the ptrace ch= eck > say its OK, and then switching the symlink to a setuid file. > > When the new execv executed, the parent process would lose all contro= l > over it. The idea is to prevent this. > > I like Alan's suggestion. Have userspace decide to allow execv or not= , > and even let it decide if it should allow setuid execv's or not, but > still allow non-setuid execvs. If you allow the setuid execv, once th= at > happens, the same behavior will occur as with ptrace. A setuid execv > will lose all its filtering. In the ptrace case, doesn't it just downgrade the privileges of the new= process if there is a tracer, rather than detach the tracer? Ignoring that, I've been looking at system call filters as being equiva= lent to something like the caps bounding set. Once reduced, there's no going back. I think Linus's proposal perfectly resolves the policy decision a= round suid execution behavior in the run-with-privs or not scenarios (just li= ke with how ptrace does it). However, I'd like to avoid allowing any process t= o escape system call filters once installed. (It's doable to add suid/caps-based-bypass, but it certainly not ideal from my perspective.= ) cheers, will -- To unsubscribe from this list: send the line "unsubscribe linux-securit= y-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html