From: Ingo Molnar <mingo@elte.hu>
To: Andrea Arcangeli <andrea@cpushare.com>
Cc: Andrew Morton <akpm@osdl.org>, Adrian Bunk <bunk@stusta.de>,
linux-kernel@vger.kernel.org, Linus Torvalds <torvalds@osdl.org>
Subject: Re: [-mm patch] seccomp: don't say it was more or less mandatory
Date: Wed, 16 Mar 2005 14:41:50 +0100 [thread overview]
Message-ID: <20050316134150.GA24970@elte.hu> (raw)
In-Reply-To: <20050316104618.GB11192@opteron.random>
* Andrea Arcangeli <andrea@cpushare.com> wrote:
> > obviously the irq and sys_read/sys_write code is way too complex to be
> > mathematically provable in the near future.
>
> Math provable is irrelevant with real software world since nobody has
> enough resources to demonstrate math correctness.
(this is becoming tangential, but i'd not be as brave to suggest that
formal provability of real software is irrelevant. It's not feasible
today and probably not feasible in the near future. What tomorrow brings
we cannot know.)
> > sorry, but if an attacker can cause arbitrary signals to be sent to your
> > secure application (and the signals pass the security checks!) then you
> > have much bigger problems!
>
> It's not the attacker that sends the signal! It's a buggy application
> coming from the CDs, like a videogame hitting a bug.
well, for an attack to become possible, it's the attacker that has to be
able to trigger it. By your logic i could say: 'many people use empty
passwords for root, so it could easily happen that a seccomp box gets
compromised that way'. The fact that sending SIGCONT to the seccomp
application _seems_ to be more related to the security of the ptrace
solution does not make it any more relevant in reality than the root
password issue. (But i guess after many years i should be wiser not to
get into such arguments with you.) And i've yet to see applications
sending spurious SIGCONT's to each other 'by accident'.
OTOH, i accept your point that a 'no way back' kernel-enforced kind of
sandbox (which seccomp provides and ptrace doesnt) is a useful concept.
Ingo
next prev parent reply other threads:[~2005-03-16 13:42 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-23 9:42 2.6.11-rc4-mm1 Andrew Morton
2005-02-23 11:03 ` 2.6.11-rc4-mm1 Mathieu Segaud
2005-02-23 16:32 ` 2.6.11-rc4-mm1 Robert Love
2005-02-23 13:06 ` 2.6.11-rc4-mm1 : IDE crazy numbers, hdb renumbered to hdq ? Helge Hafting
2005-02-23 20:12 ` Andrew Morton
2005-02-23 22:36 ` Laurent Riffard
2005-02-23 23:11 ` Matt Mackall
2005-02-23 23:20 ` Andrew Morton
2005-02-24 17:02 ` Laurent Riffard
2005-02-23 23:47 ` Greg KH
2005-02-24 17:06 ` Laurent Riffard
2005-02-24 17:18 ` Greg KH
2005-02-24 20:42 ` Laurent Riffard
2005-02-24 23:17 ` Greg KH
2005-02-23 23:32 ` Mathieu Segaud
2005-02-24 0:17 ` Matt Mackall
2005-02-23 16:37 ` 2.6.11-rc4-mm1 (VFS: Cannot open root device "301") Steven Cole
2005-02-23 20:17 ` Andrew Morton
2005-02-23 22:10 ` Steven Cole
2005-02-23 22:54 ` Steven Cole
2005-02-24 0:16 ` Andrew Morton
2005-02-24 0:25 ` Andrew Morton
2005-02-24 13:19 ` Bartlomiej Zolnierkiewicz
2005-02-25 0:20 ` Felipe Alfaro Solana
2005-02-24 0:41 ` Matt Mackall
2005-02-24 2:03 ` Benoit Boissinot
2005-02-24 2:08 ` Matt Mackall
2005-02-23 23:03 ` Andrew Morton
2005-02-23 23:03 ` Matt Mackall
2005-02-24 0:44 ` Matt Mackall
2005-02-24 15:59 ` Steven Cole
2005-02-24 16:18 ` Steven Cole
2005-02-23 22:45 ` Matt Mackall
2005-02-23 17:07 ` 2.6.11-rc4-mm1 Vincent Vanackere
2005-02-23 18:20 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 21:24 ` 2.6.11-rc4-mm1 Dominik Brodowski
2005-02-23 22:00 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 23:56 ` 2.6.11-rc4-mm1 Brice Goglin
2005-02-23 21:05 ` 2.6.11-rc4-mm1 Benoit Boissinot
2005-02-23 21:42 ` [PATCH] process-wide itimer typo fixes Roland McGrath
2005-02-23 21:30 ` 2.6.11-rc4-mm1 Adrian Bunk
2005-02-23 21:49 ` 2.6.11-rc4-mm1 (compile stats) John Cherry
2005-02-23 22:22 ` 2.6.11-rc4-mm1 Francois Romieu
2005-02-23 22:38 ` 2.6.11-rc4-mm1 J.A. Magallon
2005-02-23 23:12 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-23 23:40 ` 2.6.11-rc4-mm1 Dmitry Torokhov
2005-02-24 0:20 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-24 0:26 ` 2.6.11-rc4-mm1 Fabian Fenaut
2005-02-25 0:06 ` 2.6.11-rc4-mm1 J.A. Magallon
2005-02-25 3:18 ` 2.6.11-rc4-mm1 Dmitry Torokhov
2005-02-23 23:07 ` 2.6.11-rc4-mm1 Ed Tomlinson
2005-02-23 23:25 ` 2.6.11-rc4-mm1 Andrew Morton
2005-02-24 11:11 ` 2.6.11-rc4-mm1: infiniband/core/user_mad.c warning Adrian Bunk
2005-02-24 11:11 ` [-mm patch] drivers/md/dm-hw-handler.c: fix compile warnings Adrian Bunk
2005-02-24 21:51 ` [-mm patch] seccomp: don't say it was more or less mandatory Adrian Bunk
2005-02-24 22:41 ` Andrea Arcangeli
2005-02-25 21:14 ` Adrian Bunk
2005-02-26 1:31 ` Andrea Arcangeli
2005-03-01 0:32 ` Adrian Bunk
2005-03-01 0:44 ` Andrea Arcangeli
2005-03-03 14:51 ` Adrian Bunk
2005-03-03 16:24 ` Andrea Arcangeli
2005-03-03 21:55 ` Andrew Morton
2005-03-15 10:09 ` Ingo Molnar
2005-03-15 10:15 ` Ingo Molnar
2005-03-15 11:27 ` Ingo Molnar
2005-03-15 13:00 ` Andrea Arcangeli
2005-03-15 14:44 ` Ingo Molnar
2005-03-15 14:59 ` Andrea Arcangeli
2005-03-15 15:00 ` Ingo Molnar
2005-03-15 15:05 ` Ingo Molnar
2005-03-15 16:44 ` Andrea Arcangeli
2005-03-16 8:28 ` Ingo Molnar
2005-03-16 10:46 ` Andrea Arcangeli
2005-03-16 13:41 ` Ingo Molnar [this message]
2005-03-16 17:28 ` Andrea Arcangeli
2005-03-17 10:27 ` Ingo Molnar
2005-03-17 10:49 ` Andrea Arcangeli
2005-02-26 11:31 ` [2.6.11-rc4-mm1 patch] fix buggy IEEE80211_CRYPT_* selects Adrian Bunk
2005-03-02 6:43 ` Jeff Garzik
2005-03-02 14:08 ` Adrian Bunk
2005-03-02 19:12 ` Jeff Garzik
2005-03-02 20:38 ` Andrew Morton
2005-03-02 21:07 ` Jeff Garzik
2005-03-02 21:18 ` Andrew Morton
2005-03-02 21:56 ` Adrian Bunk
2005-03-02 22:14 ` Andrew Morton
2005-03-02 22:41 ` Jeff Garzik
2005-03-02 22:45 ` Adrian Bunk
2005-03-02 22:49 ` Jeff Garzik
2005-03-03 15:07 ` How to handle the multiple aes variants on i386? Adrian Bunk
2005-03-02 21:59 ` [2.6.11-rc4-mm1 patch] fix buggy IEEE80211_CRYPT_* selects Adrian Bunk
2005-02-27 15:48 ` [2.6.11-rc4-mm1 patch] drivers/scsi/arcmsr/arcmsr.c cleanups Adrian Bunk
2005-02-27 22:23 ` Christoph Hellwig
2005-02-28 18:07 ` [-mm patch] drivers/scsi/ch.c: make a struct static Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050316134150.GA24970@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@osdl.org \
--cc=andrea@cpushare.com \
--cc=bunk@stusta.de \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox