[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1296837393.3145.80.camel@localhost.localdomain>
Date: Fri, 04 Feb 2011 11:36:28 -0500
From: Eric Paris <eparis@...hat.com>
To: Stefan Fritsch <sf@...itsch.de>
Cc: Frederic Weisbecker <fweisbec@...il.com>,
Ingo Molnar <mingo@...e.hu>,
Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
Eric Paris <eparis@...isplace.org>,
linux-kernel@...r.kernel.org, agl@...gle.com, tzanussi@...il.com,
Jason Baron <jbaron@...hat.com>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
2nddept-manager@....hitachi.co.jp,
Steven Rostedt <rostedt@...dmis.org>,
Arnaldo Carvalho de Melo <acme@...hat.com>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: Using ftrace/perf as a basis for generic seccomp
On Thu, 2011-02-03 at 23:06 +0100, Stefan Fritsch wrote:
> - only allow syscalls in the mode (non-compat/compat) that the prctl
> call was made in
This is what I was thinking. If it was a compat task when it dropped
things from the set of syscalls we should implicitly deny all non-compat
syscalls, and vice versa.
> - deny exec of setuid/setgid binaries
> - deny exec of binaries with filesystem capabilities
I think both of these are wrong to try to address here. The right way
to handle these is to
1) set prctl(SECBIT_NOROOT)
2) drop all caps from the bset, pP, pE, and pI
3) make sure the setuid(2) syscall (not to be confused with SETUID
filesystem bit) is not in the set of allowed syscalls. Thus rendering
suid and file with fcaps irrelevant.
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists