From: Paul Moore <paul@paul-moore.com>
To: libseccomp-discuss@lists.sourceforge.net
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
linux-security-module@vger.kernel.org,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org
Subject: Re: [libseccomp-discuss] ANN: libseccomp
Date: Mon, 16 Apr 2012 10:15:33 -0400 [thread overview]
Message-ID: <4892415.SaF4mnePOG@sifl> (raw)
In-Reply-To: <20120414024708.GB10926@khazad-dum.debian.net>
On Friday, April 13, 2012 11:47:08 PM Henrique de Moraes Holschuh wrote:
> On Fri, 13 Apr 2012, Paul Moore wrote:
> > the seccomp filter into the kernel. By default libseccomp attempts to set
> > NO_NEW_PRIVS but does not fail if prctl(NO_NEW_PRIVS) returns with an
> > error;
>
> Isn't that dangerous in non-obvious ways, as in it can actually
> cause/activate/enable/open security issues on priviledged processes that
> don't expect whatever filtering seccomp will subject them to?
We could debate this point but it turns out it is a bit of a non-issue as the
kernel code requires NO_NEW_PRIVS unless CAP_SYS_ADMIN is set; if neither
conditions are true the seccomp filter with fail (check Will's patches).
If prctl(NO_NEW_PRIVS) fails the error is always returned, and the
attribute/boolean to disable this functionality has been removed since it
likely serves little purpose.
> Defaults are important, as they're what people _who don't know any better_
> are likely to use.
Agreed. You'll never hear me argue otherwise.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2012-04-16 14:15 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-09 18:58 ANN: libseccomp Paul Moore
2012-04-09 19:16 ` Kees Cook
2012-04-09 21:32 ` Paul Moore
2012-04-09 21:51 ` Will Drewry
2012-04-09 22:46 ` Paul Moore
2012-04-13 20:14 ` Paul Moore
2012-04-14 2:47 ` Henrique de Moraes Holschuh
2012-04-16 14:15 ` Paul Moore [this message]
2012-04-09 22:56 ` [libseccomp-discuss] " Serge Hallyn
2012-04-09 19:25 ` Josh Boyer
2012-04-09 20:02 ` H. Peter Anvin
2012-04-09 20:14 ` Josh Boyer
2012-04-09 21:28 ` Paul Moore
2012-04-10 20:29 ` Paul Moore
2012-04-11 0:27 ` Josh Boyer
[not found] ` <CAEXv5_jiZsd6t=H1KWMNhUdgMez0B-WdC5XAHzdHffjOQh_J4A@mail.gmail.com>
2012-04-15 16:20 ` Kees Cook
2012-04-16 14:09 ` [libseccomp-discuss] " Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4892415.SaF4mnePOG@sifl \
--to=paul@paul-moore.com \
--cc=hmh@hmh.eng.br \
--cc=libseccomp-discuss@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.