Re: secure computing for 2.6.7

[David Wagner]

Andrea Arcangeli  wrote:
>On Sun, Aug 01, 2004 at 06:29:05PM +0100, chris@xxxxxxxxxxxxxxxx wrote:
>> How hard would it be to have a per-task bitmap of syscalls allowed?
>
>your app will have then to learn about the syscall details of every
>arch (which is normally a kernel internal thing),

I'm not convinced this is a big deal.  In security, you always white
list known safe operations (never black list unsafe ones!).  Therefore,
you only white list the ones you know, and the result will be fail-safe
when porting to new architectures.

If the only hard case is *sigreturn(), it's not too hard to hard-code
that once and be done with it.

It seems like a bitmap will be much more flexible.  I already spotted
issues with the list of syscalls someone else posted (it included open(),
if I recall correctly), and I bet others would dislike any list I would
come up with.  My experience working with experimental tools like these
is that different apps may need different restrictions.

>the syscall numbers vary across every arch 

Isn't that what #include <sys/syscall.h> is for?  
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/