| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 May 2011 19:11:42 -0700 From: Will Drewry <wad@...omium.org> To: Eric Paris <eparis@...hat.com> Cc: Steven Rostedt <rostedt@...dmis.org>, Frederic Weisbecker <fweisbec@...il.com>, Ingo Molnar <mingo@...e.hu>, linux-kernel@...r.kernel.org, kees.cook@...onical.com, agl@...omium.org, jmorris@...ei.org, Randy Dunlap <rdunlap@...otime.net>, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, Tom Zanussi <tzanussi@...il.com>, Arnaldo Carvalho de Melo <acme@...hat.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works. On Fri, May 6, 2011 at 6:35 AM, Eric Paris <eparis@...hat.com> wrote: > I'm also starting to think a userspace library is a good idea as well. > Everything in the kernel is an && with nothing but SET and APPLY. We > provide interfaces to build the strings as we go along including UNSET > and stuff like that if there are users.... That sounds ideal to me. I think it'll be worth tagging this config option as EXPERIMENTAL to begin with so that there's a chance to see those of us who want it using it more widely and find out if there are missing pieces or dumb limitations. Hopefully by starting minimal, it won't be a huge departure to evolve it if needed. On Fri, May 6, 2011 at 9:30 AM, Eric Paris <eparis@...hat.com> wrote: > On Thu, 2011-05-05 at 02:21 -0700, Will Drewry wrote: >> On Wed, May 4, 2011 at 11:46 AM, Steven Rostedt <rostedt@...dmis.org> wrote: > >> In particular, if the userspace code wants to stage some filters and >> apply them all at once, when ready, I'm not sure that it makes sense >> to me to put that complexity in the kernel itself. For instance, >> Eric's second sample showed a call that took an array of ints and >> coalesced them into "fd == %d || ...". That simple example shows that >> we could easily get by with a pretty minimal kernel-supported >> interface as long as the richer behavior could live userspace side -- >> even if just in a simple helper library. It'd be pretty easy to >> implement a userspace library that exposed add_filter(syscall_nr, >> filter) and apply_filters() such that it could manage building the >> final filter string for a given syscall and pushing it to prctl on >> apply. > > Had a few minutes this morning so I started writing something that looks > sorta like a userspace library. It dosn't have unset yet but I don't > think it'll be that hard for me to implement. You can build some pretty > complex filters easily. Not sure when I'll get to work on it more, but > it at least shows the idea of doing the complex work in a library and > keeping a simple kernel interface.... Any thoughts? Cool! I was thrown a little bit by spelling out the operations (eq, ne, ..), but I can see how it might be useful for being able to synthesize good filters before passing them off to the kernel. It sounds like we might be moving towards a good starting point. I'll start playing with the interface some (and start on the kernel support too :). thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists