User: Password:
|
|
Subscribe / Log in / New account

Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF

From:  Linus Torvalds <torvalds-AT-linux-foundation.org>
To:  Steven Rostedt <rostedt-AT-goodmis.org>
Subject:  Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF
Date:  Thu, 12 Jan 2012 09:09:31 -0800
Message-ID:  <CA+55aFw2yigXqfiKMH4aZ9w8dOkAEB0cZ2m4ZUEhiddnrQuueg@mail.gmail.com>
Cc:  Andrew Lutomirski <luto-AT-mit.edu>, Will Drewry <wad-AT-chromium.org>, linux-kernel-AT-vger.kernel.org, keescook-AT-chromium.org, john.johansen-AT-canonical.com, serge.hallyn-AT-canonical.com, coreyb-AT-linux.vnet.ibm.com, pmoore-AT-redhat.com, eparis-AT-redhat.com, djm-AT-mindrot.org, segoon-AT-openwall.com, jmorris-AT-namei.org, scarybeasts-AT-gmail.com, avi-AT-redhat.com, penberg-AT-cs.helsinki.fi, viro-AT-zeniv.linux.org.uk, mingo-AT-elte.hu, akpm-AT-linux-foundation.org, khilman-AT-ti.com, borislav.petkov-AT-amd.com, amwang-AT-redhat.com, oleg-AT-redhat.com, ak-AT-linux.intel.com, eric.dumazet-AT-gmail.com, gregkh-AT-suse.de, dhowells-AT-redhat.com, daniel.lezcano-AT-free.fr, linux-fsdevel-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, olofj-AT-chromium.org, mhalcrow-AT-google.com, dlaor-AT-redhat.com
Archive-link:  Article

On Thu, Jan 12, 2012 at 8:27 AM, Steven Rostedt <rostedt@goodmis.org> wrote:
>
> In that case, just have execv fail if filtering is enabled and we are
> execing a setuid program. But I don't see why non "magical" execv's
> should be prohibited.

The whole "fail security escalations" thing goes way beyond just
filtering, I think we could seriously try to make it a generic
feature.

For example, somebody just asked me the other day why "chroot()"
requires admin privileges, since it would be good to limit even
non-root things.

And it's really the exact same issue as filtering: in some sense,
chroot() "filters" FS name lookups, and can be used to fool programs
that are written to be secure.

We could easily introduce a per-process flag that just says "cannot
escalate privileges". Which basically just disables execve() of
suid/sgid programs (and possibly other things too), and locks the
process to the current privileges. And then make the rule be that *if*
that flag is set, you can then filter across an execve, or chroot as a
normal user, or whatever.

There are probably other things like that - things like allowing users
to do bind mounts etc - that aren't dangerous in themselves, but that
are dangerous mainly because they can be used to fool things into
privilege escalations. So this is definitely not a filter-only issue.

                       Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



(Log in to post comments)


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds