lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 6 Jun 2011 11:25:17 -0400
From:	Colin Walters <walters@...bum.org>
To:	Stephen Smalley <sds@...ho.nsa.gov>
Cc:	Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
	kees.cook@...onical.com, torvalds@...ux-foundation.org,
	tglx@...utronix.de, mingo@...e.hu, rostedt@...dmis.org,
	jmorris@...ei.org, paulmck@...ux.vnet.ibm.com,
	Peter Zijlstra <peterz@...radead.org>,
	Frederic Weisbecker <fweisbec@...il.com>,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH v4 03/13] seccomp_filters: new mode with configurable
 syscall filters

On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@...ho.nsa.gov> wrote:
>
> Suppose we did add a MAC check on enabling seccomp.  Under what
> circumstances would we want to deny a process the ability to further
> restrict its own actions?

Well, I could understand a simple argument about limiting the exposed
kernel API; again I know this is sort of ironic, but seccomp is a
pretty complex new API, and there will be processes that *aren't*
using it for whatever reason and might be exploited.

I'm not arguing strongly for this, I just wanted to bring it up.  The
set of hooks seems rather inconsistent right now.

Given the above rationale, why for example is there a SELinux access
vector for sched_getscheduler (process:getsched)?

> Denying the ability to enable seccomp could itself lead to
> vulnerabilities, as applications have shown that they often fail to
> check or handle errors from privilege-limiting calls correctly.

Right.

> The situation would differ if seccomp could be enabled for a different
> target process than current, or if it could be inherited across exec.

It's based on prctl() so only affects the current process, and as for
the latter - it looks like the current state is that if seccomp is
active, exec is always disallowed.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ