User: Password:
Subscribe / Log in / New account

Systemd gets seccomp filter support

Systemd gets seccomp filter support

Posted Jul 17, 2012 19:24 UTC (Tue) by iabervon (subscriber, #722)
In reply to: Systemd gets seccomp filter support by walters
Parent article: Systemd gets seccomp filter support

I'm talking about the parent of a process being able to dynamically adjust the policy for the process right before exec. In SELinux, the policy is written by userspace, but the kernel controls determining the security domain during exec(), and that selects the applicable policy, so there's no userspace involvement at the last minute. Userspace isn't necessarily given a chance to react to changes in NSS configuration between when the configuration last changed and starting new restricted processes.

AFAICT, the systemd syntax doesn't exclude the possibility of listing library functions in your syscall list, and having that trigger run-time mutation. And systemd is obviously constructing BFP based on a combination of your list and stuff it knows, if for no other reason than that it has to figure out syscall numbers from names.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds