[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120414024708.GB10926@khazad-dum.debian.net>
Date: Fri, 13 Apr 2012 23:47:08 -0300
From: Henrique de Moraes Holschuh <hmh@....eng.br>
To: Paul Moore <paul@...l-moore.com>
Cc: Will Drewry <wad@...omium.org>, Kees Cook <keescook@...omium.org>,
libseccomp-discuss@...ts.sourceforge.net,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: ANN: libseccomp
On Fri, 13 Apr 2012, Paul Moore wrote:
> the seccomp filter into the kernel. By default libseccomp attempts to set
> NO_NEW_PRIVS but does not fail if prctl(NO_NEW_PRIVS) returns with an error;
Isn't that dangerous in non-obvious ways, as in it can actually
cause/activate/enable/open security issues on priviledged processes that
don't expect whatever filtering seccomp will subject them to?
Maybe it would be best if libseccomp were to (by default) bomb out with
an error if prctl(NO_NEW_PRIVS) fails? Defaults are important, as
they're what people _who don't know any better_ are likely to use.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists