[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAObL_7F3-GcxOc3p7wkbp1f=brUt5VKzcD0+v1dbAgfCk_Z2Jg@mail.gmail.com>
Date: Thu, 12 Jan 2012 15:00:46 -0800
From: Andrew Lutomirski <luto@....edu>
To: Will Drewry <wad@...omium.org>
Cc: Steven Rostedt <rostedt@...dmis.org>,
Alan Cox <alan@...rguk.ukuu.org.uk>,
Jamie Lokier <jamie@...reable.org>,
Oleg Nesterov <oleg@...hat.com>, linux-kernel@...r.kernel.org,
keescook@...omium.org, john.johansen@...onical.com,
serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com,
pmoore@...hat.com, eparis@...hat.com, djm@...drot.org,
torvalds@...ux-foundation.org, segoon@...nwall.com,
jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com,
penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu,
akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com,
amwang@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com,
gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr,
linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org, olofj@...omium.org,
mhalcrow@...gle.com, dlaor@...hat.com
Subject: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF
On Thu, Jan 12, 2012 at 2:18 PM, Will Drewry <wad@...omium.org> wrote:
> On Thu, Jan 12, 2012 at 11:40 AM, Steven Rostedt <rostedt@...dmis.org> wrote:
>> On Thu, 2012-01-12 at 17:30 +0000, Jamie Lokier wrote:
>>
>>> You can do this now, using ptrace(). It's horrible, but half of the
>>> horribleness is needing to understand machine-dependent registers,
>>> which this new patch doesn't address. (The other half is a ton of
>>> undocumented but important ptrace() behaviours on Linux.)
>>
>> Yeah I know the horrid use of ptrace, I've implemented programs that use
>> it :-p
>>
>> I guess ptrace can capture the execv and determine if it is OK or not to
>> run it. But again, this doesn't stop the possible attacks that could
>> happen, with having the execv on a symlink file, having the ptrace check
>> say its OK, and then switching the symlink to a setuid file.
>>
>> When the new execv executed, the parent process would lose all control
>> over it. The idea is to prevent this.
>>
>> I like Alan's suggestion. Have userspace decide to allow execv or not,
>> and even let it decide if it should allow setuid execv's or not, but
>> still allow non-setuid execvs. If you allow the setuid execv, once that
>> happens, the same behavior will occur as with ptrace. A setuid execv
>> will lose all its filtering.
>
> In the ptrace case, doesn't it just downgrade the privileges of the new process
> if there is a tracer, rather than detach the tracer?
>
> Ignoring that, I've been looking at system call filters as being equivalent to
> something like the caps bounding set. Once reduced, there's no going
> back. I think Linus's proposal perfectly resolves the policy decision around
> suid execution behavior in the run-with-privs or not scenarios (just like with
> how ptrace does it). However, I'd like to avoid allowing any process to
> escape system call filters once installed. (It's doable to add
> suid/caps-based-bypass, but it certainly not ideal from my perspective.)
I agree.
In principle, it could be safe for an outside (non-seccomp) process
with appropriate credentials to lift seccomp restrictions from a
different process. But why?
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists