LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering

[Posted May 16, 2011 by corbet]

From:  James Morris <jmorris-AT-namei.org>
To:  Ingo Molnar <mingo-AT-elte.hu>
Subject:  Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Date:  Thu, 12 May 2011 21:44:15 +1000 (EST)
Message-ID:  <alpine.LRH.2.00.1105122133500.31507@tundra.namei.org>
Cc:  Will Drewry <wad-AT-chromium.org>, linux-kernel-AT-vger.kernel.org, Steven Rostedt <rostedt-AT-goodmis.org>, Frederic Weisbecker <fweisbec-AT-gmail.com>, Eric Paris <eparis-AT-redhat.com>, kees.cook-AT-canonical.com, agl-AT-chromium.org, Peter Zijlstra <a.p.zijlstra-AT-chello.nl>, "Serge E. Hallyn" <serge-AT-hallyn.com>, Ingo Molnar <mingo-AT-redhat.com>, Andrew Morton <akpm-AT-linux-foundation.org>, Tejun Heo <tj-AT-kernel.org>, Michal Marek <mmarek-AT-suse.cz>, Oleg Nesterov <oleg-AT-redhat.com>, Roland McGrath <roland-AT-redhat.com>, Jiri Slaby <jslaby-AT-suse.cz>, David Howells <dhowells-AT-redhat.com>, Russell King <linux-AT-arm.linux.org.uk>, Michal Simek <monstr-AT-monstr.eu>, Ralf Baechle <ralf-AT-linux-mips.org>, Benjamin Herrenschmidt <benh-AT-kernel.crashing.org>, Paul Mackerras <paulus-AT-samba.org>,
Archive-link:  Article, Thread 

On Thu, 12 May 2011, Ingo Molnar wrote:

> 
> 2) Why should this concept not be made available wider, to allow the 
>    restriction of not just system calls but other security relevant components 
>    of the kernel as well?

Because the aim of this is to reduce the attack surface of the syscall 
interface.

LSM is the correct level of abstraction for general security mediation, 
because it allows you to take into account all relevant security 
information in a race-free context.


>    This too, if you approach the problem via the events code, will be a natural 
>    end result, while if you approach it from the seccomp prctl angle it will be
>    a limited hack only.

I'd say it's a well-defined and readily understandable feature.


- James
-- 
James Morris
<jmorris@namei.org>
(Log in to post comments)

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds