From: Andrea Arcangeli <andrea@cpushare.com>
To: chris@scary.beasts.org
Cc: Hans Reiser <reiser@namesys.com>,
linux-kernel@vger.kernel.org, Andrew Morton <akpm@osdl.org>
Subject: Re: secure computing for 2.6.7
Date: Mon, 2 Aug 2004 01:06:47 +0200 [thread overview]
Message-ID: <20040801230647.GH6295@dualathlon.random> (raw)
In-Reply-To: <Pine.LNX.4.58.0408011801260.1368@sphinx.mythic-beasts.com>
On Sun, Aug 01, 2004 at 06:29:05PM +0100, chris@scary.beasts.org wrote:
> Using the above approach, we (the app writers) would never agree on the
> syscall lists required for different seccomp modes ;-)
I see the problem ;).
> How hard would it be to have a per-task bitmap of syscalls allowed? This
> way, a task could restrict to the exact subset of syscalls required for
> maximum security.
> The bitmap would
> - Be allocated on demand (for no overhead in the common case)
> - Deny all syscalls not covered by the supplied bitmap, to cater for
> syscall table expansion
> - Be inherited across fork and (probably) shared across clone
your app will have then to learn about the syscall details of every
arch (which is normally a kernel internal thing), the most obvious
example is the difference between the sigreturn and rt_sigreturn, plus
the syscall numbers vary across every arch and the bitmap will have to
differ depending on the architecture (while the seccomp mode number is a
fixed interface for all archs and it hides all internal details like
sigreturn/rt_sigreturn). The one thing I don't like is that if somebody
changes the signal frame to use a new_rt_sigreturn the app will break
and I'll have to upload an update and I'll have again to check for uname
-r to know which kernel has to enable what. I mean when the new
behaviour is introduced it won't be too bad, it'll just get a false
positive sigkill, it could happen as well if somebody forgets to update
seccomp.c after changing the signal frame.
While I only get disavantages from the bitmap, if people really want the
arch dependent bitmap I'm certainly able to put kernel architectural
internal knowledge into some python code that will build the right
bitmap depending on the arch and depending on the uname -r.
So it's up to you. Feel free to discuss and choose what you prefer. I'm
biased and I prefer seccomp, you can still implement the bitmap on top
of seccomp as seccomp mode == 2. I'm not saying you shouldn't get the
bitmap, my previous suggestion of syscalltable that would parse as well
the parameters was a lot more complicated than the bitmap, doing the
bitmap on top of seccomp will be easy (we could add some more storage
into the seccomp file too, so if you write number 2 followed by data,
the kernel will allocate such later data afte the first 32bits, as a
bitmap). And still the seccomp mode will provide you the infrastructure
and the entry point. This is actually simple enough (not comparable to
the syscalltables) that I can implement it myself if you agree on this
direction (next weekend).
next prev parent reply other threads:[~2004-08-01 23:07 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-04 17:39 secure computing for 2.6.7 andrea
2004-07-04 21:35 ` Andrew Morton
2004-07-04 23:32 ` andrea
2004-07-05 0:37 ` Phy Prabab
2004-10-12 14:24 ` Andrea Arcangeli
2004-10-12 15:32 ` Rik van Riel
2004-10-12 15:59 ` Andrea Arcangeli
2004-10-12 16:28 ` Rik van Riel
2004-10-12 17:46 ` Andrea Arcangeli
2004-10-12 18:04 ` Rik van Riel
2004-10-12 18:10 ` Rik van Riel
2004-10-12 18:29 ` Andrea Arcangeli
2004-07-07 19:27 ` Hans Reiser
2004-08-01 10:22 ` Andrea Arcangeli
2004-08-01 12:01 ` chris
2004-08-01 15:01 ` Andrea Arcangeli
2004-08-01 17:29 ` chris
2004-08-01 18:52 ` Bernd Eckenfels
2004-08-01 20:45 ` Alan Cox
2004-08-01 23:10 ` Andrea Arcangeli
2004-08-01 23:08 ` Alan Cox
2004-08-02 10:25 ` Andrea Arcangeli
2004-08-01 23:06 ` Andrea Arcangeli [this message]
2004-08-02 6:52 ` David Wagner
2004-08-03 12:48 ` Stephen Smalley
2004-08-01 14:55 ` Bernd Eckenfels
2004-08-01 15:51 ` Andrea Arcangeli
2004-08-01 17:24 ` Bernd Eckenfels
2004-08-02 3:17 ` Horst von Brand
2004-08-02 16:31 ` Andrea Arcangeli
2004-08-03 12:40 ` Stephen Smalley
2004-08-03 21:02 ` Alexander Lyamin
2004-08-05 11:47 ` Stephen Smalley
2004-08-04 8:57 ` Hans Reiser
2004-08-05 11:48 ` Stephen Smalley
2004-08-07 23:20 ` Hans Reiser
2004-08-09 12:35 ` Stephen Smalley
[not found] <2ejhQ-4lc-5@gated-at.bofh.it>
[not found] ` <2fqhq-1RU-45@gated-at.bofh.it>
[not found] ` <2olLt-4wI-5@gated-at.bofh.it>
2004-08-02 0:05 ` Andi Kleen
2004-08-02 10:19 ` Andrea Arcangeli
2004-08-02 19:06 ` Rik van Riel
2004-08-02 21:35 ` Andrea Arcangeli
2004-08-04 13:18 ` V13
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040801230647.GH6295@dualathlon.random \
--to=andrea@cpushare.com \
--cc=akpm@osdl.org \
--cc=chris@scary.beasts.org \
--cc=linux-kernel@vger.kernel.org \
--cc=reiser@namesys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox