| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 May 2011 22:21:45 +0530 From: "Aneesh Kumar K.V" <aneesh.kumar@...ux.vnet.ibm.com> To: Linus Torvalds <torvalds@...ux-foundation.org>, Kees Cook <kees.cook@...onical.com>, Al Viro <viro@...iv.linux.org.uk> Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <peterz@...radead.org>, Will Drewry <wad@...omium.org>, Steven Rostedt <rostedt@...dmis.org>, linux-kernel@...r.kernel.org Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering On Wed, 25 May 2011 11:42:44 -0700, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Wed, May 25, 2011 at 11:01 AM, Kees Cook <kees.cook@...onical.com> wrote: > > > > Can we just go back to the original spec? A lot of people were excited > > about the prctl() API as done in Will's earlier patchset, we don't lose the > > extremely useful "enable_on_exec" feature, and we can get away from all > > this disagreement. > > .. and quite frankly, I'm not even convinced about the original simpler spec. > > Security is a morass. People come up with cool ideas every day, and > nobody actually uses them - or if they use them, they are just a > maintenance nightmare. > > Quite frankly, limiting pathname access by some prefix is "cool", but > it's basically useless. > > That's not where security problems are. > > Security problems are in the odd corners - ioctl's, /proc files, > random small interfaces that aren't just about file access. > > And who would *use* this thing in real life? Nobody. In order to sell > me on a new security interface, give me a real actual use case that is > security-conscious and relevant to real users. > > For things like web servers that actually want to limit filename > lookup, we'd be <i>much</i> better off with a few new flags to > pathname lookup that say "don't follow symlinks" and "don't follow > '..'". Things like that can actually be beneficial to > security-conscious programming, with very little overhead. Some of > those things currently look up pathnames one component at a time, > because they can't afford to not do so. That's a *much* better model > for the whole "only limit to this subtree" case that was quoted > sometime early in this thread. The "make sure we don't follow symlinks at all" is a real problem in VirtFS (http://wiki.qemu.org/Documentation/9psetup) that we are fixing by adding a forked chrooted process to Qemu. If we are open to a new open flag O_NOFOLLOW_PATH, which would fail with ELOOP if any of the path component is a symbolic link, that would greatly simplify VirtFS. Will such a new flag to open be acceptable ? -aneesh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists