Re: [-mm patch] seccomp: don't say it was more or less mandatory

From: Ingo Molnar
Date: Tue Mar 15 2005 - 09:48:21 EST

Next message: Adrian Bunk: "[2.6 patch] net/ipv6/ndisc.c: make a function static"
Previous message: Adrian Bunk: "[2.6 patch] net/ipv4/inetpeer.c: make a struct static"
In reply to: Andrea Arcangeli: "Re: [-mm patch] seccomp: don't say it was more or less mandatory"
Next in thread: Andrea Arcangeli: "Re: [-mm patch] seccomp: don't say it was more or less mandatory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Andrea Arcangeli <andrea@xxxxxxxxxxxx> wrote:

> > technical comment: seccomp goes outside the audit/selinux framework,
> > which i believe is a bug. Andrea?
>
> I intentionally left it out of audit/selinux. To the less dependencies
> it has on other parts of the kernel and the simpler it is, the better
> IMHO. Seccomp should be fixed in stone, people shouldn't go hack on it
> every day.

let me put it another way: this is a security hole. seccomp is now a way
to evade the auditing of read/write syscalls done to an opened file.
Please fix this.

Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "[2.6 patch] net/ipv6/ndisc.c: make a function static"
Previous message: Adrian Bunk: "[2.6 patch] net/ipv4/inetpeer.c: make a struct static"
In reply to: Andrea Arcangeli: "Re: [-mm patch] seccomp: don't say it was more or less mandatory"
Next in thread: Andrea Arcangeli: "Re: [-mm patch] seccomp: don't say it was more or less mandatory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]