From: Colin Walters <walters@verbum.org>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, kees.cook@canonical.com,
torvalds@linux-foundation.org, tglx@linutronix.de, mingo@elte.hu,
rostedt@goodmis.org, jmorris@namei.org,
paulmck@linux.vnet.ibm.com, Peter Zijlstra <peterz@infradead.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v4 03/13] seccomp_filters: new mode with configurable syscall filters
Date: Mon, 6 Jun 2011 11:25:17 -0400 [thread overview]
Message-ID: <BANLkTi=WGCrT3Z5qar0P-EqN=aKn9z-HYA@mail.gmail.com> (raw)
In-Reply-To: <1307364487.2876.18.camel@moss-pluto>
On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> Suppose we did add a MAC check on enabling seccomp. Under what
> circumstances would we want to deny a process the ability to further
> restrict its own actions?
Well, I could understand a simple argument about limiting the exposed
kernel API; again I know this is sort of ironic, but seccomp is a
pretty complex new API, and there will be processes that *aren't*
using it for whatever reason and might be exploited.
I'm not arguing strongly for this, I just wanted to bring it up. The
set of hooks seems rather inconsistent right now.
Given the above rationale, why for example is there a SELinux access
vector for sched_getscheduler (process:getsched)?
> Denying the ability to enable seccomp could itself lead to
> vulnerabilities, as applications have shown that they often fail to
> check or handle errors from privilege-limiting calls correctly.
Right.
> The situation would differ if seccomp could be enabled for a different
> target process than current, or if it could be inherited across exec.
It's based on prctl() so only affects the current process, and as for
the latter - it looks like the current state is that if seccomp is
active, exec is always disallowed.
next prev parent reply other threads:[~2011-06-06 15:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-03 20:34 [PATCH v4 01/13] tracing: split out filter initialization and clean up Will Drewry
2011-06-03 20:34 ` [PATCH v4 02/13] tracing: split out syscall_trace_enter construction Will Drewry
2011-06-03 20:34 ` [PATCH v4 03/13] seccomp_filters: new mode with configurable syscall filters Will Drewry
2011-06-03 21:48 ` [PATCH v5 " Will Drewry
2011-06-06 16:56 ` [PATCH v6 03/14] " Will Drewry
2011-06-10 15:39 ` [PATCH v7 03/13] " Will Drewry
2011-06-13 2:24 ` [PATCH v8 " Will Drewry
2011-06-03 22:16 ` [PATCH v4 " Colin Walters
2011-06-06 12:48 ` Stephen Smalley
2011-06-06 15:25 ` Colin Walters [this message]
2011-06-06 16:36 ` Stephen Smalley
2011-06-03 20:34 ` [PATCH v4 04/13] seccomp_filter: add process state reporting Will Drewry
2011-06-03 21:50 ` [PATCH v5 " Will Drewry
2011-06-10 15:40 ` [PATCH v7 " Will Drewry
2011-06-07 23:56 ` [PATCH v4 " Paul E. McKenney
2011-06-08 1:05 ` Will Drewry
2011-06-08 1:59 ` Steven Rostedt
2011-06-03 20:34 ` [PATCH v4 05/13] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-06-03 20:38 ` Kees Cook
2011-06-10 15:40 ` [PATCH v7 " Will Drewry
2011-06-03 20:34 ` [PATCH v4 06/13] x86: add HAVE_SECCOMP_FILTER and seccomp_execve Will Drewry
2011-06-03 20:34 ` [PATCH v4 07/13] arm: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-03 20:34 ` [PATCH v4 08/13] microblaze: select HAVE_SECCOMP_FILTER and provide seccomp_execve Will Drewry
2011-06-03 20:34 ` [PATCH v4 09/13] mips: " Will Drewry
2011-06-03 20:34 ` [PATCH v4 10/13] s390: " Will Drewry
2011-06-03 20:34 ` [PATCH v4 11/13] powerpc: " Will Drewry
2011-06-03 20:34 ` [PATCH v4 12/13] sparc: " Will Drewry
2011-06-03 23:20 ` David Miller
2011-06-03 20:34 ` [PATCH v4 13/13] sh: select HAVE_SECCOMP_FILTER Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTi=WGCrT3Z5qar0P-EqN=aKn9z-HYA@mail.gmail.com' \
--to=walters@verbum.org \
--cc=fweisbec@gmail.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=sds@tycho.nsa.gov \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).