| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Apr 2012 16:14:43 -0400 From: Paul Moore <paul@...l-moore.com> To: Will Drewry <wad@...omium.org> Cc: Kees Cook <keescook@...omium.org>, libseccomp-discuss@...ts.sourceforge.net, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: ANN: libseccomp On Monday, April 09, 2012 06:46:02 PM Paul Moore wrote: > On Monday, April 09, 2012 04:51:30 PM Will Drewry wrote: > > On Mon, Apr 9, 2012 at 4:32 PM, Paul Moore <paul@...l-moore.com> wrote: > > > On Monday, April 09, 2012 12:16:30 PM Kees Cook wrote: > > >> On Mon, Apr 9, 2012 at 11:58 AM, Paul Moore wrote: > > >> I see that the arch check happens during _gen_bpf_build_bpf(), which > > >> is excellent. Do you have any thoughts about including a call to > > >> prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) by default as well? > > > > > > That is a good question, and I guess it comes down to another question > > > of if anyone would want to use seccomp without NO_NEW_PRIVS. If the > > > answer is no then I'm comfortable adding it into the seccomp_load() > > > function; however, if the answer is yes we might want to do something > > > different. > > > > > > I haven't given much thought to this yet, so if you or anyone else feels > > > strongly about the issue - either pro or con - I'd appreciate hearing > > > the argument. > > > > I guess the question is if there is an expectation that this library > > be used with something like lxc, where a whole, functional system with > > suid/fcaps binaries is contained. In that world, it may not be > > desirable to set the nnp bit. The same is true if, for some reason, > > the init task was to set a system-wide filter. > > > > Most likely, default use of nnp is probably "the right thing", but > > it'd be nice to be able to annotate when you really want to allow > > privileged contexts to set filters without nnp. > > Okay, that seems reasonable: default to NO_NEW_PRIVS, but provide an > override mechanism. > > I've been wanting a mechanism/API for tweaking some of the default library > parameters for the past few weeks, this is likely the last bit of motivation > I need to start working on this. I'll look into it once the license issue > is sorted. A quick update - I just added support for setting NO_NEW_PRIVS when loading the seccomp filter into the kernel. By default libseccomp attempts to set NO_NEW_PRIVS but does not fail if prctl(NO_NEW_PRIVS) returns with an error; however, both the attempt to set NO_NEW_PRIVS and the fact that libseccomp does not fail on error are configurable via the application if you don't like the defaults for your particular use case. -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists