[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jun 2011 11:25:17 -0400
From: Colin Walters <walters@...bum.org>
To: Stephen Smalley <sds@...ho.nsa.gov>
Cc: Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
kees.cook@...onical.com, torvalds@...ux-foundation.org,
tglx@...utronix.de, mingo@...e.hu, rostedt@...dmis.org,
jmorris@...ei.org, paulmck@...ux.vnet.ibm.com,
Peter Zijlstra <peterz@...radead.org>,
Frederic Weisbecker <fweisbec@...il.com>,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v4 03/13] seccomp_filters: new mode with configurable
syscall filters
On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@...ho.nsa.gov> wrote:
>
> Suppose we did add a MAC check on enabling seccomp. Under what
> circumstances would we want to deny a process the ability to further
> restrict its own actions?
Well, I could understand a simple argument about limiting the exposed
kernel API; again I know this is sort of ironic, but seccomp is a
pretty complex new API, and there will be processes that *aren't*
using it for whatever reason and might be exploited.
I'm not arguing strongly for this, I just wanted to bring it up. The
set of hooks seems rather inconsistent right now.
Given the above rationale, why for example is there a SELinux access
vector for sched_getscheduler (process:getsched)?
> Denying the ability to enable seccomp could itself lead to
> vulnerabilities, as applications have shown that they often fail to
> check or handle errors from privilege-limiting calls correctly.
Right.
> The situation would differ if seccomp could be enabled for a different
> target process than current, or if it could be inherited across exec.
It's based on prctl() so only affects the current process, and as for
the latter - it looks like the current state is that if seccomp is
active, exec is always disallowed.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists