lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 06 Jun 2011 08:48:07 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	Colin Walters <walters@...bum.org>
Cc:	Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
	kees.cook@...onical.com, torvalds@...ux-foundation.org,
	tglx@...utronix.de, mingo@...e.hu, rostedt@...dmis.org,
	jmorris@...ei.org, paulmck@...ux.vnet.ibm.com,
	Peter Zijlstra <peterz@...radead.org>,
	Frederic Weisbecker <fweisbec@...il.com>,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH v4 03/13] seccomp_filters: new mode with configurable
 syscall filters

On Fri, 2011-06-03 at 18:16 -0400, Colin Walters wrote:
> On Fri, Jun 3, 2011 at 4:34 PM, Will Drewry <wad@...omium.org> wrote:
> > (Any thoughts specifically on the mutex use would be greatly appreciated!)
> >
> > This change adds a new seccomp mode which specifies the allowed system
> > calls dynamically.
> 
> One thing to consider (not sure if it's been discussed, but I think
> not) is whether some of the LSMs should hook this.
> 
> Notably, it looks like SELinux doesn't have an access vector for prctl
> at all now; it doesn't hook task_prctl from what I see, and so we fall
> back to cap_task_prctl.  While I know the idea of restricting a
> process' ability to enter seccomp is a bit perverse, we should
> probably at least allow mandatory controls.  James?

I may be missing something, but so long as seccomp can only be enabled
by a process on itself and is not inherited across exec (or as in this
case prohibits exec), then I don't see why MAC systems should care.

Suppose we did add a MAC check on enabling seccomp.  Under what
circumstances would we want to deny a process the ability to further
restrict its own actions?

Denying the ability to enable seccomp could itself lead to
vulnerabilities, as applications have shown that they often fail to
check or handle errors from privilege-limiting calls correctly.

The situation would differ if seccomp could be enabled for a different
target process than current, or if it could be inherited across exec.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ