From: Paul Moore <pmoore@redhat.com>
To: Namsun Ch'o <namnamc@safe-mail.net>
Cc: qemu-devel@nongnu.org, eduardo.otubo@profitbricks.com
Subject: Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox
Date: Tue, 29 Sep 2015 18:12:17 -0400 [thread overview]
Message-ID: <2847918.LyRAQidd07@sifl> (raw)
In-Reply-To: <N1-IUU_41wMS2@Safe-mail.net>
On Monday, September 28, 2015 11:14:42 PM Namsun Ch'o wrote:
> > My understanding of the config file you proposed is that it would allow
> > the
> > configuration of a whitelist, so changes to the config very could result
> > in
> > *less* strict of a filter, not always more.
>
> No. Any time an administrator wants a syscall that is not enabled in the
> sandbox, they either don't actually need it, or it's a bug and should be
> fixed. So all the config would do is add argument filters to syscalls which
> are already whitelisted.
If the syscall, without arguments, is already added to the whitelist then
adding a new libseccomp rule to allow that same syscall with specific
arguments will have no effect since a broader rule already exists in the
filter.
> The alternative would be that the syscalls are given no further argument
> filtering. The config could only make the filteres more restrictive, never
> less.
I still don't see how this is the case, but it probably isn't worth arguing
any further without some patches.
> Perhaps there could be a #define somewhere that toggles whether or not a
> syscall argument filter can be created for a syscall which is not in the
> built-in whitelist, otherwise it would throw an error saying that you cannot
> create an argument filter for a syscall that is not permitted.
I would argue you should never be able to add a syscall to the whitelist via a
config file and/or command line option, but that is my opinion.
--
paul moore
security @ redhat
next prev parent reply other threads:[~2015-09-29 22:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-29 3:14 [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox Namsun Ch'o
2015-09-29 15:38 ` Eduardo Otubo
2015-09-29 22:12 ` Paul Moore [this message]
[not found] <d55ad1eed872006f0634c3e0067553a5@airmail.cc>
2015-10-01 7:17 ` Markus Armbruster
-- strict thread matches above, loose matches on Subject: below --
2015-09-30 6:41 Namsun Ch'o
2015-10-01 5:58 ` Markus Armbruster
2015-09-28 21:34 Namsun Ch'o
2015-09-29 1:19 ` Paul Moore
2015-09-26 5:06 Namsun Ch'o
2015-09-28 18:24 ` Paul Moore
2015-09-25 4:53 Namsun Ch'o
2015-09-25 17:03 ` Paul Moore
2015-09-11 0:54 namnamc
2015-09-24 9:59 ` Eduardo Otubo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2847918.LyRAQidd07@sifl \
--to=pmoore@redhat.com \
--cc=eduardo.otubo@profitbricks.com \
--cc=namnamc@safe-mail.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.