User: Password:
|
|
Subscribe / Log in / New account

Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF

From:  Andrew Lutomirski <luto-AT-mit.edu>
To:  Steven Rostedt <rostedt-AT-goodmis.org>
Subject:  Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF
Date:  Thu, 12 Jan 2012 08:14:25 -0800
Message-ID:  <CAObL_7GVo8rH=Knv=t5VtJG24m7tY9MhNf9QNah+8G9oYiXo6g@mail.gmail.com>
Cc:  Will Drewry <wad-AT-chromium.org>, linux-kernel-AT-vger.kernel.org, keescook-AT-chromium.org, john.johansen-AT-canonical.com, serge.hallyn-AT-canonical.com, coreyb-AT-linux.vnet.ibm.com, pmoore-AT-redhat.com, eparis-AT-redhat.com, djm-AT-mindrot.org, torvalds-AT-linux-foundation.org, segoon-AT-openwall.com, jmorris-AT-namei.org, scarybeasts-AT-gmail.com, avi-AT-redhat.com, penberg-AT-cs.helsinki.fi, viro-AT-zeniv.linux.org.uk, mingo-AT-elte.hu, akpm-AT-linux-foundation.org, khilman-AT-ti.com, borislav.petkov-AT-amd.com, amwang-AT-redhat.com, oleg-AT-redhat.com, ak-AT-linux.intel.com, eric.dumazet-AT-gmail.com, gregkh-AT-suse.de, dhowells-AT-redhat.com, daniel.lezcano-AT-free.fr, linux-fsdevel-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, olofj-AT-chromium.org, mhalcrow-AT-google.com, dlaor-AT-redhat.com
Archive-link:  Article

On Thu, Jan 12, 2012 at 7:43 AM, Steven Rostedt <rostedt@goodmis.org> wrote:
> On Wed, 2012-01-11 at 11:25 -0600, Will Drewry wrote:
>
>> Filter programs may _only_ cross the execve(2) barrier if last filter
>> program was attached by a task with CAP_SYS_ADMIN capabilities in its
>> user namespace.  Once a task-local filter program is attached from a
>> process without privileges, execve will fail.  This ensures that only
>> privileged parent task can affect its privileged children (e.g., setuid
>> binary).
>
> This means that a non privileged user can not run another program with
> limited features? How would a process exec another program and filter
> it? I would assume that the filter would need to be attached first and
> then the execv() would be performed. But after the filter is attached,
> the execv is prevented?
>
> Maybe I don't understand this correctly.

Time to resurrect execve_nosecurity?  If so, then the rule could be
simplified to: seccomp programs cannot use normal execve at all.

The longer I linger on lists and see neat ideas like this, the more I
get annoyed that execve is magical.  I dream of a distribution that
doesn't use setuid, file capabilities, selinux transitions on exec, or
any other privilege changes on exec *at all*.  I think that the only
things missing in the kernel (other than something intelligent to do
about SELinux) are execve_nosecurity and the ability for a normal
program to wait for an unrelated program to finish (or some other way
that a program can ask a daemon to spawn a privileged program for it
and then to cleanly wait for that program to finish in a way that
could survive re-exec of the daemon).

--Andy

>
> -- Steve
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



(Log in to post comments)


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds