From: andrea@cpushare.com
To: Albert Cahalan <acahalan@gmail.com>
Cc: torvalds@osdl.org, ak@suse.de, mingo@elte.hu,
alan@lxorguk.ukuu.org.uk, arjan@infradead.org, bunk@stusta.de,
akpm@osdl.org, rlrevell@joe-job.com,
linux-kernel@vger.kernel.org
Subject: Re: [patch] let CONFIG_SECCOMP default to n
Date: Thu, 13 Jul 2006 09:07:18 +0200 [thread overview]
Message-ID: <20060713070718.GC28310@opteron.random> (raw)
In-Reply-To: <787b0d920607122243g24f5a003p1f004c9a1779f75c@mail.gmail.com>
Hello,
On Thu, Jul 13, 2006 at 01:43:42AM -0400, Albert Cahalan wrote:
> SECCOMP is a good idea, but currently a tad too limiting.
> There are a few dozen system calls that would be safe and useful,
> particularly those related to signals, memory, and synchronization.
malloc/free can be emulated in userland so that's not a big
problem. All the rest is a problem instead, unmodified software just
won't run.
seccomp mode 1 is the absolute minimum you need to compute ;). Every
single syscall we add it gets less secure. Several exploits happened
in mremap for example, even if at first glance it may sound a safe
syscall. It's safe now, but it may get buggy again later as new
features are being added.
I'd be skeptical adding seccomp mode 2 with more syscalls, otherwise
it's better to make it more flexible and to specify the syscalls to
allow from userland (which I'm not against if you've usages for it).
>From my part to go beyond seccomp, as jail for the interpreters I'll
probably use virtualization like ourgrid and tycoon (seccomp is the
safest and simplest mode but there's simply no way to run an
interpreter under it ;).
next prev parent reply other threads:[~2006-07-13 7:06 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-13 5:43 [patch] let CONFIG_SECCOMP default to n Albert Cahalan
2006-07-13 7:04 ` utrace vs. ptrace Ingo Molnar
2006-07-13 9:24 ` Ingo Molnar
2006-07-13 12:37 ` Andi Kleen
2006-07-13 12:43 ` Ingo Molnar
2006-07-13 13:21 ` Andi Kleen
2006-07-13 13:28 ` Arjan van de Ven
2006-07-13 13:34 ` Andi Kleen
2006-07-13 13:37 ` Arjan van de Ven
2006-07-13 13:46 ` Andi Kleen
2006-07-13 19:05 ` Linus Torvalds
2006-07-13 19:47 ` Ingo Molnar
2006-07-14 10:42 ` Paul Jackson
2006-07-25 18:49 ` Alan Cox
2006-07-25 18:27 ` Linus Torvalds
2006-07-25 18:57 ` Olaf Hering
2006-07-25 19:12 ` Ingo Molnar
2006-07-26 0:20 ` Martin Bligh
2006-07-13 7:07 ` andrea [this message]
[not found] <6tgj0-8ip-19@gated-at.bofh.it>
[not found] ` <6xP8s-5mc-9@gated-at.bofh.it>
[not found] ` <6xUhQ-4Wx-33@gated-at.bofh.it>
[not found] ` <6xVdX-6oH-53@gated-at.bofh.it>
[not found] ` <6xVnz-6AI-21@gated-at.bofh.it>
[not found] ` <6xZUd-4Es-13@gated-at.bofh.it>
[not found] ` <6y7yy-7ws-13@gated-at.bofh.it>
[not found] ` <6y7RK-7TX-9@gated-at.bofh.it>
2006-07-17 11:37 ` [patch] let CONFIG_SECCOMP default to n Bodo Eggert
-- strict thread matches above, loose matches on Subject: below --
2006-07-12 21:37 Chuck Ebbert
2006-07-12 21:55 ` Linus Torvalds
2006-07-12 22:48 ` andrea
2006-07-12 21:57 ` Andi Kleen
2006-06-29 19:21 [2.6 patch] " Adrian Bunk
2006-06-30 0:44 ` Lee Revell
2006-06-30 1:07 ` Andrew Morton
2006-06-30 1:40 ` Adrian Bunk
2006-06-30 4:52 ` Andrea Arcangeli
2006-06-30 9:47 ` Ingo Molnar
2006-06-30 14:58 ` andrea
2006-07-11 7:36 ` [patch] " Ingo Molnar
2006-07-11 14:17 ` andrea
2006-07-11 14:32 ` Arjan van de Ven
2006-07-11 15:31 ` andrea
2006-07-11 15:54 ` Arjan van de Ven
2006-07-11 16:13 ` andrea
2006-07-11 16:23 ` Arjan van de Ven
2006-07-11 16:57 ` Alan Cox
2006-07-11 16:25 ` Alan Cox
2006-07-11 16:02 ` Adrian Bunk
2006-07-11 16:16 ` andrea
2006-07-11 16:24 ` Alan Cox
2006-07-12 15:43 ` Andi Kleen
2006-07-12 21:07 ` Ingo Molnar
2006-07-12 22:06 ` Andi Kleen
2006-07-12 22:19 ` Ingo Molnar
2006-07-12 22:33 ` Andi Kleen
2006-07-12 22:49 ` Ingo Molnar
2006-07-13 3:16 ` Andrea Arcangeli
2006-07-13 11:23 ` Jeff Dike
2006-07-13 11:35 ` Ingo Molnar
2006-07-13 3:04 ` Andrea Arcangeli
2006-07-13 3:12 ` Linus Torvalds
2006-07-13 4:40 ` Andrea Arcangeli
2006-07-13 4:51 ` andrea
2006-07-13 5:12 ` Linus Torvalds
2006-07-13 6:22 ` andrea
2006-07-13 1:51 ` Andrew Morton
2006-07-13 2:00 ` Linus Torvalds
2006-07-13 7:44 ` James Bruce
2006-07-13 8:34 ` andrea
2006-07-13 9:18 ` Andrew Morton
2006-07-13 12:13 ` Andi Kleen
2006-07-12 21:22 ` Ingo Molnar
2006-07-12 22:11 ` Andi Kleen
2006-07-11 15:54 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060713070718.GC28310@opteron.random \
--to=andrea@cpushare.com \
--cc=acahalan@gmail.com \
--cc=ak@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=bunk@stusta.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=rlrevell@joe-job.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox