Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering
From: Gleb Natapov
Date: Thu May 26 2011 - 06:47:17 EST
On Thu, May 26, 2011 at 12:38:36PM +0200, Ingo Molnar wrote:
>
> * Gleb Natapov <gleb@xxxxxxxxxx> wrote:
>
> > On Thu, May 26, 2011 at 11:57:51AM +0300, Pekka Enberg wrote:
> > > Hi Avi,
> > >
> > > On Thu, May 26, 2011 at 11:49 AM, Avi Kivity <avi@xxxxxxxxxx> wrote:
> > >
> > > > You mean each thread will have a different security context? I
> > > > don't see the point. All threads share all of memory so it
> > > > would be trivial for one thread to exploit another and gain all
> > > > of its privileges.
> > >
> > > So how would that happen? I'm assuming that once the security
> > > context has been set up for a thread, you're not able to change
> > > it after that. You'd be able to exploit other threads through
> > > shared memory but how would you gain privileges?
> >
> > By tricking other threads to execute code for you. Just replace
> > return address on the other's thread stack.
>
> That kind of exploit is not possible if the worker pool consists of
> processes - which would be rather easy to achieve with tools/kvm/.
>
Well, of course. There original question was about threads.
> In that model each process has its own stack, not accessible to other
> worker processes. They'd only share the guest RAM image and some
> (minimal) global state.
>
> This way the individual devices are (optionally) isolated from each
> other. In a way this is a microkernel done right ;-)
>
But doesn't this design suffer the same problem as microkernel? Namely
a lot of slow IPCs?
--
Gleb.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/