Re: [libseccomp-discuss] ANN: libseccomp

From: Paul Moore
Date: Mon Apr 16 2012 - 10:15:38 EST

Next message: Gleb Natapov: "Re: kvm: RCU warning in async pf"
Previous message: Laxman Dewangan: "Re: [PATCH] mfd: fix modular builds of rc5t583 regulator support"
In reply to: Paul Moore: "Re: [libseccomp-discuss] ANN: libseccomp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday, April 13, 2012 11:47:08 PM Henrique de Moraes Holschuh wrote:
> On Fri, 13 Apr 2012, Paul Moore wrote:
> > the seccomp filter into the kernel. By default libseccomp attempts to set
> > NO_NEW_PRIVS but does not fail if prctl(NO_NEW_PRIVS) returns with an
> > error;
>
> Isn't that dangerous in non-obvious ways, as in it can actually
> cause/activate/enable/open security issues on priviledged processes that
> don't expect whatever filtering seccomp will subject them to?

We could debate this point but it turns out it is a bit of a non-issue as the
kernel code requires NO_NEW_PRIVS unless CAP_SYS_ADMIN is set; if neither
conditions are true the seccomp filter with fail (check Will's patches).

If prctl(NO_NEW_PRIVS) fails the error is always returned, and the
attribute/boolean to disable this functionality has been removed since it
likely serves little purpose.

> Defaults are important, as they're what people _who don't know any better_
> are likely to use.

Agreed. You'll never hear me argue otherwise.

--
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gleb Natapov: "Re: kvm: RCU warning in async pf"
Previous message: Laxman Dewangan: "Re: [PATCH] mfd: fix modular builds of rc5t583 regulator support"
In reply to: Paul Moore: "Re: [libseccomp-discuss] ANN: libseccomp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]