LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cook: seccomp filter now in Ubuntu

Cook: seccomp filter now in Ubuntu

Posted Mar 27, 2012 16:35 UTC (Tue) by cmccabe (guest, #60281)
Parent article: Cook: seccomp filter now in Ubuntu

This seems like a great idea. As others have commented, to actually work, system call filtering has to be done from the kernel side, and this seems like a great way to do it.

We should have done this way earlier. Perhaps one day we can rip out the LSM hooks and replace them with attachment points for BPF code. That would remove a lot of ugly policy from the kernel, but provide the needed mechanisms.

(Log in to post comments)

Cook: seccomp filter now in Ubuntu

Posted Mar 27, 2012 19:48 UTC (Tue) by dpquigl (subscriber, #52852) [Link]

That would be an absolutely horrible idea. seccomp does not replace a proper access control model. First of all it only restricts what syscalls can be called and not how they may be called. Second it relies on each and every program to tell it what it needs. There is nothing in seccomp that says what files a particular confined process may touch. Whether it be SELinux/GRSecurity/Apparmor/SMACK/TOMOYO you need an actual access control model to control what resources are accessed in the system. The GRSecurity people have a point that the LSM is less than ideal as it provides convenient hook points for malicious code but there is no removing them without settling on one security model for the kernel to replace LSM and that is never going to happen.

The way LSM works for most if not all of the modules only provide the mechanism. Its up to the user to plug in the policy (Smack is the exception from what I understand). The whole purpose of things like SELinux and other LSMs is to separate policy from mechanism. Original MAC implementations hardcoded policy into the operating system. Modern systems separate the policy out to provide flexibility.

Cook: seccomp filter now in Ubuntu

Posted Mar 27, 2012 20:58 UTC (Tue) by slashdot (guest, #22014) [Link]

Great plan!

Then, we can rewrite the kernel in Python and only support running programs written in Visual Basic, so that we get rid of all that pesky and hard to understand C code.

Cook: seccomp filter now in Ubuntu

Posted Mar 29, 2012 11:50 UTC (Thu) by deepfire (subscriber, #26138) [Link]

You live in a scary, black-and-white-only world.

I'm afraid of your patterns of thinking.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds