| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2011 12:38:19 -0500 From: Will Drewry <wad@...omium.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Colin Walters <walters@...bum.org>, Kees Cook <kees.cook@...onical.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>, linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org> Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering On Thu, May 26, 2011 at 12:17 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Thu, May 26, 2011 at 10:02 AM, Will Drewry <wad@...omium.org> wrote: >> >> Absolutely - that was what I meant :/ The patches do not currently >> check creds at creation or again at use, which would lead to >> unprivileged filters being used in a privileged context. Right now, >> though, if setuid() is not allowed by the seccomp-filter, the process >> will be immediately killed with do_exit(SIGKILL) on call -- thus >> avoiding a silent failure. > > Umm. > > You do realize that there is a reason we don't allow random kill() > system calls to succeed without privileges either? > > So no, "we kill it with sigkill" is not safe *either*. It now is > potentially a way to kill privileged processes that you didn't have > permission to kill. > > My point is that it all sounds designed for well-behaved processes. > "kill it if it does something bad" sounds like a *wonderful* idea if > you're doing a sandbox. Yeah - we end up in a weird place, because for many suid executables, the failure would be immediate (at priv drop), but it introduces bugs that will be less obvious in more complex scenarios. > But it is suddenly potentially deadly if that capability is used by a > malicious user for a process that isn't ready for it. > > One option is to just not ever allow execve() from inside a restricted > environment. That'd certainly be fine with me. Another option could be adding a cred checking (from set to use) or execve time checking or ..., but simple works for me. I'm not hung up on the implementation details specifically if the end result is that the syscalls can be _safely_ whitelisted. Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists