| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 07 Jul 2014 14:20:36 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: David Drysdale <drysdale@...gle.com> CC: LSM List <linux-security-module@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Alexander Viro <viro@...iv.linux.org.uk>, Meredydd Luff <meredydd@...atehouse.org>, Kees Cook <keescook@...omium.org>, James Morris <james.l.morris@...cle.com>, Linux API <linux-api@...r.kernel.org>, qemu-devel <qemu-devel@...gnu.org> Subject: Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) Il 07/07/2014 12:29, David Drysdale ha scritto: >> I think that's more easily done by opening the file as O_RDONLY/O_WRONLY >> /O_RDWR. You could do it by running the file descriptor's seccomp-bpf >> program once per iocb with synthesized syscall numbers and argument >> vectors. > > Right, but generating the equivalent seccomp input environment for an > equivalent single-fd syscall is going to be subtle and complex (which > are worrying words to mention in a security context). And how many > other syscalls are going to need similar special-case processing? > (poll? select? send[m]msg? ...) Yeah, the difficult part is getting the right balance between: 1) limitations due to seccomp's impossibility to chase pointers (which is not something that can be lifted, as it's required for correctness) 2) subtlety and complexity of the resulting code. The problem stems when you have a single a single syscall operating on multiple file descriptors. So for example among the cases you mention poll and select are problematic; sendm?msg are not. They would be if Capsicum had a capability for SCM_RIGHTS file descriptor passing, but I cannot find it. But then you also have to strike the right balance between a complete solution and an overengineered one. For example, even though poll and select are problematic, I wonder what would really the point be in blocking them; poll/select are level-triggered, and calling them should be idempotent as far as the file descriptor is concerned. If you want to prevent a process/thread from issuing blocking system calls, but you'd do that with a per-process filter, not with per-file-descriptor filters or capabilities. > Capsicum capabilities are associated with the file descriptor (a la > F_GETFD), not the open file itself -- different FDs with different > associated rights can map to the same underlying open file. Good to know, thanks. I suppose you have testcases that cover this. Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists