Re: Using ftrace/perf as a basis for generic seccomp
From: Eric Paris
Date: Fri Feb 04 2011 - 11:37:26 EST
On Thu, 2011-02-03 at 23:06 +0100, Stefan Fritsch wrote:
> - only allow syscalls in the mode (non-compat/compat) that the prctl
> call was made in
This is what I was thinking. If it was a compat task when it dropped
things from the set of syscalls we should implicitly deny all non-compat
syscalls, and vice versa.
> - deny exec of setuid/setgid binaries
> - deny exec of binaries with filesystem capabilities
I think both of these are wrong to try to address here. The right way
to handle these is to
1) set prctl(SECBIT_NOROOT)
2) drop all caps from the bset, pP, pE, and pI
3) make sure the setuid(2) syscall (not to be confused with SETUID
filesystem bit) is not in the set of allowed syscalls. Thus rendering
suid and file with fcaps irrelevant.
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/