|From:||Linus Torvalds <torvalds-AT-linux-foundation.org>|
|To:||Steven Rostedt <rostedt-AT-goodmis.org>|
|Subject:||Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF|
|Date:||Thu, 12 Jan 2012 09:09:31 -0800|
|Cc:||Andrew Lutomirski <luto-AT-mit.edu>, Will Drewry <wad-AT-chromium.org>, linux-kernel-AT-vger.kernel.org, keescook-AT-chromium.org, john.johansen-AT-canonical.com, serge.hallyn-AT-canonical.com, coreyb-AT-linux.vnet.ibm.com, pmoore-AT-redhat.com, eparis-AT-redhat.com, djm-AT-mindrot.org, segoon-AT-openwall.com, jmorris-AT-namei.org, scarybeasts-AT-gmail.com, avi-AT-redhat.com, penberg-AT-cs.helsinki.fi, viro-AT-zeniv.linux.org.uk, mingo-AT-elte.hu, akpm-AT-linux-foundation.org, khilman-AT-ti.com, borislav.petkov-AT-amd.com, amwang-AT-redhat.com, oleg-AT-redhat.com, ak-AT-linux.intel.com, eric.dumazet-AT-gmail.com, gregkh-AT-suse.de, dhowells-AT-redhat.com, daniel.lezcano-AT-free.fr, linux-fsdevel-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, olofj-AT-chromium.org, mhalcrow-AT-google.com, dlaor-AT-redhat.com|
On Thu, Jan 12, 2012 at 8:27 AM, Steven Rostedt <firstname.lastname@example.org> wrote: > > In that case, just have execv fail if filtering is enabled and we are > execing a setuid program. But I don't see why non "magical" execv's > should be prohibited. The whole "fail security escalations" thing goes way beyond just filtering, I think we could seriously try to make it a generic feature. For example, somebody just asked me the other day why "chroot()" requires admin privileges, since it would be good to limit even non-root things. And it's really the exact same issue as filtering: in some sense, chroot() "filters" FS name lookups, and can be used to fool programs that are written to be secure. We could easily introduce a per-process flag that just says "cannot escalate privileges". Which basically just disables execve() of suid/sgid programs (and possibly other things too), and locks the process to the current privileges. And then make the rule be that *if* that flag is set, you can then filter across an execve, or chroot as a normal user, or whatever. There are probably other things like that - things like allowing users to do bind mounts etc - that aren't dangerous in themselves, but that are dangerous mainly because they can be used to fool things into privilege escalations. So this is definitely not a filter-only issue. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds