| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jun 2011 17:30:46 +1000 (EST) From: Damien Miller <djm@...drot.org> To: Will Drewry <wad@...omium.org> cc: linux-kernel@...r.kernel.org, torvalds@...ux-foundation.org, segoon@...nwall.com, kees.cook@...onical.com, mingo@...e.hu, rostedt@...dmis.org, jmorris@...ei.org, fweisbec@...il.com, tglx@...utronix.de, scarybeasts@...il.com, Peter Zijlstra <peterz@...radead.org>, "Paul E. McKenney" <paul.mckenney@...aro.org>, Andrew Morton <akpm@...ux-foundation.org>, David Howells <dhowells@...hat.com>, Eric Paris <eparis@...hat.com>, Borislav Petkov <borislav.petkov@....com>, Michal Marek <mmarek@...e.cz>, Mike Galbraith <efault@....de>, "Serge E. Hallyn" <serge.hallyn@...onical.com>, Jiri Slaby <jslaby@...e.cz>, Greg Kroah-Hartman <gregkh@...e.de>, linux-security-module@...r.kernel.org Subject: Re: [PATCH v9 03/13] seccomp_filter: new mode with configurable syscall filters On Thu, 23 Jun 2011, Will Drewry wrote: > This change adds a new seccomp mode which specifies the allowed system > calls dynamically. When in the new mode (2), all system calls are > checked against process-defined filters - first by system call number, > then by a filter string. If an entry exists for a given system call and > all filter predicates evaluate to true, then the task may proceed. > Otherwise, the task is killed. This would be a great help for OpenSSH to improve pre-authentication privilege separation. We use a separate process that is chroot()ed and switched to a dedicated UID to limit the effects of compromise in the complex network-facing code, but a vulnerability in this process still allows an attacker to open new network sockets (e.g. to proxy attacks through your firewall) or attempt to exploit local kernel bugs. If we are able to restrict the syscalls the unprivileged process can make then it becomes very difficult for an attacker to do anything useful - they won't be able to open new sockets and a narrow set of available syscalls makes exploitable kernel bugs much harder to find or reach. The current SECCOMP sandbox is too restrictive, because we need to poll/select() on sockets and mmap() to allocate new memory. Allowing application developers to specify which syscalls are allowed is a good, low-cost way to make the SECCOMP sandbox much more useful. -d -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists