Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF

From: Will Drewry
Date: Thu Jan 12 2012 - 17:18:53 EST

Next message: J. Bruce Fields: "nfsd changes for 3.3"
Previous message: Theodore Tso: "Re: [PATCH] fs: Fix mod_timer crash when removing USB sticks"
In reply to: Linus Torvalds: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Andrew Lutomirski: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 12, 2012 at 11:40 AM, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> On Thu, 2012-01-12 at 17:30 +0000, Jamie Lokier wrote:
>
>> You can do this now, using ptrace(). It's horrible, but half of the
>> horribleness is needing to understand machine-dependent registers,
>> which this new patch doesn't address. (The other half is a ton of
>> undocumented but important ptrace() behaviours on Linux.)
>
> Yeah I know the horrid use of ptrace, I've implemented programs that use
> it :-p
>
> I guess ptrace can capture the execv and determine if it is OK or not to
> run it. But again, this doesn't stop the possible attacks that could
> happen, with having the execv on a symlink file, having the ptrace check
> say its OK, and then switching the symlink to a setuid file.
>
> When the new execv executed, the parent process would lose all control
> over it. The idea is to prevent this.
>
> I like Alan's suggestion. Have userspace decide to allow execv or not,
> and even let it decide if it should allow setuid execv's or not, but
> still allow non-setuid execvs. If you allow the setuid execv, once that
> happens, the same behavior will occur as with ptrace. A setuid execv
> will lose all its filtering.

In the ptrace case, doesn't it just downgrade the privileges of the new process
if there is a tracer, rather than detach the tracer?

Ignoring that, I've been looking at system call filters as being equivalent to
something like the caps bounding set. Once reduced, there's no going
back. I think Linus's proposal perfectly resolves the policy decision around
suid execution behavior in the run-with-privs or not scenarios (just like with
how ptrace does it). However, I'd like to avoid allowing any process to
escape system call filters once installed. (It's doable to add
suid/caps-based-bypass, but it certainly not ideal from my perspective.)

cheers,
will
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: J. Bruce Fields: "nfsd changes for 3.3"
Previous message: Theodore Tso: "Re: [PATCH] fs: Fix mod_timer crash when removing USB sticks"
In reply to: Linus Torvalds: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Andrew Lutomirski: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]