LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cook: seccomp filter now in Ubuntu

Cook: seccomp filter now in Ubuntu

Posted Mar 28, 2012 21:34 UTC (Wed) by dpquigl (subscriber, #52852)
In reply to: Cook: seccomp filter now in Ubuntu by Cyberax
Parent article: Cook: seccomp filter now in Ubuntu

That doesn't address the issue that if there is an exploit in that parent process that I can have it install a new filter. The process itself is what installs the filter. Also from your description here it seems that if you put a filter in bash then no process executed from a shell could use filters. Maybe I'm missing something here. The NNP flag seems completely disjoint from seccomp filtering.

(Log in to post comments)

Cook: seccomp filter now in Ubuntu

Posted Mar 28, 2012 23:51 UTC (Wed) by khc (subscriber, #45209) [Link]

Or you can just run the exploit code in the parent process, if you have already exploited the parent process why bother with the child process?

The assumption is the child process is the one that's loading untrusted data, and so is more likely to be exploitable.

Cook: seccomp filter now in Ubuntu

Posted Mar 29, 2012 0:12 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

khc has already answered about exploiting the parent process.

NNP flag is a prerequisite for BPF filtering to avoid repeating the infamous Sendmail bug.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds