lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 May 2011 11:39:27 +0300 From: Avi Kivity <avi@...hat.com> To: Will Drewry <wad@...omium.org> CC: linux-kernel@...r.kernel.org, kees.cook@...onical.com, eparis@...hat.com, agl@...omium.org, mingo@...e.hu, jmorris@...ei.org, rostedt@...dmis.org, Frederic Weisbecker <fweisbec@...il.com>, Ingo Molnar <mingo@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Tejun Heo <tj@...nel.org>, Michal Marek <mmarek@...e.cz>, Oleg Nesterov <oleg@...hat.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Jiri Slaby <jslaby@...e.cz>, David Howells <dhowells@...hat.com>, "Serge E. Hallyn" <serge@...lyn.com> Subject: Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering On 04/28/2011 06:08 AM, Will Drewry wrote: > This change adds a new seccomp mode based on the work by > agl@...omium.org. This mode comes with a bitmask of NR_syscalls size and > an optional linked list of seccomp_filter objects. When in mode 2, all > system calls are first checked against the bitmask to determine if they > are allowed or denied. If allowed, the list of filters is checked for > the given syscall number. If all filter predicates for the system call > match or the system call was allowed without restriction, the process > continues. Otherwise, it is killed and a KERN_INFO notification is > posted. > > The filter language itself is provided by the ftrace filter engine. > Related patches tweak to the perf filter trace and free allow the calls > to be shared. Filters inherit their understanding of types and arguments > for each system call from the CONFIG_FTRACE_SYSCALLS subsystem which > predefines this information in syscall_metadata associated enter_event > (and exit_event) structures. > > The result is that a process may reduce its available interfaces to > the kernel through prctl() without knowing the appropriate system call > number a priori and with the flexibility of filtering based on > register-stored arguments. (String checks suffer from TOCTOU issues and > should be left to LSMs to provide policy for! Don't get greedy :) This is potentially very useful for qemu/kvm. -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists