From: Stephen Smalley <sds@tycho.nsa.gov>
To: Colin Walters <walters@verbum.org>
Cc: Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, kees.cook@canonical.com,
torvalds@linux-foundation.org, tglx@linutronix.de, mingo@elte.hu,
rostedt@goodmis.org, jmorris@namei.org,
paulmck@linux.vnet.ibm.com, Peter Zijlstra <peterz@infradead.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v4 03/13] seccomp_filters: new mode with configurable syscall filters
Date: Mon, 06 Jun 2011 12:36:17 -0400 [thread overview]
Message-ID: <1307378177.2876.32.camel@moss-pluto> (raw)
In-Reply-To: <BANLkTi=WGCrT3Z5qar0P-EqN=aKn9z-HYA@mail.gmail.com>
On Mon, 2011-06-06 at 11:25 -0400, Colin Walters wrote:
> On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >
> > Suppose we did add a MAC check on enabling seccomp. Under what
> > circumstances would we want to deny a process the ability to further
> > restrict its own actions?
>
> Well, I could understand a simple argument about limiting the exposed
> kernel API; again I know this is sort of ironic, but seccomp is a
> pretty complex new API, and there will be processes that *aren't*
> using it for whatever reason and might be exploited.
>
> I'm not arguing strongly for this, I just wanted to bring it up. The
> set of hooks seems rather inconsistent right now.
>
> Given the above rationale, why for example is there a SELinux access
> vector for sched_getscheduler (process:getsched)?
That can be invoked on a target process other than current, right?
Any operation that enables a process to observe or modify the state of
another process requires a MAC check.
> > The situation would differ if seccomp could be enabled for a different
> > target process than current, or if it could be inherited across exec.
>
> It's based on prctl() so only affects the current process, and as for
> the latter - it looks like the current state is that if seccomp is
> active, exec is always disallowed.
Right, so I don't think it requires a MAC check presently.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-06-06 16:37 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-03 20:34 [PATCH v4 01/13] tracing: split out filter initialization and clean up Will Drewry
2011-06-03 20:34 ` [PATCH v4 02/13] tracing: split out syscall_trace_enter construction Will Drewry
2011-06-03 20:34 ` [PATCH v4 03/13] seccomp_filters: new mode with configurable syscall filters Will Drewry
2011-06-03 21:48 ` [PATCH v5 " Will Drewry
2011-06-06 16:56 ` [PATCH v6 03/14] " Will Drewry
2011-06-10 15:39 ` [PATCH v7 03/13] " Will Drewry
2011-06-13 2:24 ` [PATCH v8 " Will Drewry
2011-06-03 22:16 ` [PATCH v4 " Colin Walters
2011-06-06 12:48 ` Stephen Smalley
2011-06-06 15:25 ` Colin Walters
2011-06-06 16:36 ` Stephen Smalley [this message]
2011-06-03 20:34 ` [PATCH v4 04/13] seccomp_filter: add process state reporting Will Drewry
2011-06-03 21:50 ` [PATCH v5 " Will Drewry
2011-06-10 15:40 ` [PATCH v7 " Will Drewry
2011-06-07 23:56 ` [PATCH v4 " Paul E. McKenney
2011-06-08 1:05 ` Will Drewry
2011-06-08 1:59 ` Steven Rostedt
2011-06-03 20:34 ` [PATCH v4 05/13] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-06-03 20:38 ` Kees Cook
2011-06-10 15:40 ` [PATCH v7 " Will Drewry
2011-06-03 20:34 ` [PATCH v4 06/13] x86: add HAVE_SECCOMP_FILTER and seccomp_execve Will Drewry
2011-06-03 20:34 ` [PATCH v4 07/13] arm: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-03 20:34 ` Will Drewry
2011-06-03 20:34 ` [PATCH v4 08/13] microblaze: select HAVE_SECCOMP_FILTER and provide seccomp_execve Will Drewry
2011-06-03 20:34 ` [PATCH v4 09/13] mips: " Will Drewry
2011-06-03 20:34 ` [PATCH v4 10/13] s390: " Will Drewry
2011-06-03 20:34 ` [PATCH v4 11/13] powerpc: " Will Drewry
2011-06-03 20:34 ` Will Drewry
2011-06-03 20:34 ` [PATCH v4 12/13] sparc: " Will Drewry
2011-06-03 20:34 ` Will Drewry
2011-06-03 23:20 ` [PATCH v4 12/13] sparc: select HAVE_SECCOMP_FILTER and provide David Miller
2011-06-03 23:20 ` [PATCH v4 12/13] sparc: select HAVE_SECCOMP_FILTER and provide seccomp_execve David Miller
2011-06-03 20:34 ` [PATCH v4 13/13] sh: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-03 20:34 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1307378177.2876.32.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=fweisbec@gmail.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.