| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTimNcag-ZmVTXjUoTyiuJm6jtW0DgA@mail.gmail.com> Date: Thu, 26 May 2011 13:49:01 -0500 From: Will Drewry <wad@...omium.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Colin Walters <walters@...bum.org>, Kees Cook <kees.cook@...onical.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>, linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org> Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering On Thu, May 26, 2011 at 1:33 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Thu, May 26, 2011 at 10:38 AM, Will Drewry <wad@...omium.org> wrote: >>> >>> One option is to just not ever allow execve() from inside a restricted >>> environment. >> >> That'd certainly be fine with me. > > So if it ends up being purely a "internal to the process" thing, then > I'm much happier about it - it not only limits the scope of things > sufficiently that I don't worry too much about security issues, but it > makes it very clear that it's about a process going into "lock-down" > mode on its own. > > It also gets rid of all configuration - one of the things that makes > most security frameworks (look at selinux, but also just ACL's etc) > such a crazy rats nest is the whole "set up for other processes". If > it's designed very much to be about just the "self" process (after > initialization etc), then I think that avoids pretty much all the > serious issues. > > A lot of server processes could probably use it as a way to say "Hey, > I guarantee that I will only open new files read-only, and will only > write to the socket that was already opened for me by the accept", and > explicitly limit their worker threads that way. > > If that is really sufficient for some chrome sandboxing, then hey, > that's all fine. It adds some hoops, but less than exist today. > Sometimes limiting yourself (rather than looking for some bigger > "generic" solution) is the right answer. I will very happily validate usage and repost with a self-limited patch series. Doing so makes the change much more explicitly an expansion of seccomp, which keeps things sane. Thanks! will -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists