From: Paul Moore <pmoore@redhat.com>
To: Namsun Ch'o <namnamc@safe-mail.net>
Cc: qemu-devel@nongnu.org, eduardo.otubo@profitbricks.com
Subject: Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox
Date: Tue, 29 Sep 2015 18:12:17 -0400 [thread overview]
Message-ID: <2847918.LyRAQidd07@sifl> (raw)
In-Reply-To: <N1-IUU_41wMS2@Safe-mail.net>
On Monday, September 28, 2015 11:14:42 PM Namsun Ch'o wrote:
> > My understanding of the config file you proposed is that it would allow
> > the
> > configuration of a whitelist, so changes to the config very could result
> > in
> > *less* strict of a filter, not always more.
>
> No. Any time an administrator wants a syscall that is not enabled in the
> sandbox, they either don't actually need it, or it's a bug and should be
> fixed. So all the config would do is add argument filters to syscalls which
> are already whitelisted.
If the syscall, without arguments, is already added to the whitelist then
adding a new libseccomp rule to allow that same syscall with specific
arguments will have no effect since a broader rule already exists in the
filter.
> The alternative would be that the syscalls are given no further argument
> filtering. The config could only make the filteres more restrictive, never
> less.
I still don't see how this is the case, but it probably isn't worth arguing
any further without some patches.
> Perhaps there could be a #define somewhere that toggles whether or not a
> syscall argument filter can be created for a syscall which is not in the
> built-in whitelist, otherwise it would throw an error saying that you cannot
> create an argument filter for a syscall that is not permitted.
I would argue you should never be able to add a syscall to the whitelist via a
config file and/or command line option, but that is my opinion.
--
paul moore
security @ redhat
next prev parent reply other threads:[~2015-09-29 22:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-29 3:14 [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox Namsun Ch'o
2015-09-29 15:38 ` Eduardo Otubo
2015-09-29 22:12 ` Paul Moore [this message]
[not found] <d55ad1eed872006f0634c3e0067553a5@airmail.cc>
2015-10-01 7:17 ` Markus Armbruster
-- strict thread matches above, loose matches on Subject: below --
2015-09-30 6:41 Namsun Ch'o
2015-10-01 5:58 ` Markus Armbruster
2015-09-28 21:34 Namsun Ch'o
2015-09-29 1:19 ` Paul Moore
2015-09-26 5:06 Namsun Ch'o
2015-09-28 18:24 ` Paul Moore
2015-09-25 4:53 Namsun Ch'o
2015-09-25 17:03 ` Paul Moore
2015-09-11 0:54 namnamc
2015-09-24 9:59 ` Eduardo Otubo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2847918.LyRAQidd07@sifl \
--to=pmoore@redhat.com \
--cc=eduardo.otubo@profitbricks.com \
--cc=namnamc@safe-mail.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).