Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
From: Valdis . Kletnieks
Date: Thu May 26 2011 - 13:39:56 EST
On Thu, 26 May 2011 12:02:45 CDT, Will Drewry said:
> Absolutely - that was what I meant :/ The patches do not currently
> check creds at creation or again at use, which would lead to
> unprivileged filters being used in a privileged context. Right now,
> though, if setuid() is not allowed by the seccomp-filter, the process
> will be immediately killed with do_exit(SIGKILL) on call -- thus
> avoiding a silent failure.
How do you know you have the bounding set correct?
This has been a long-standing issue for SELinux policy writing - it's usually
easy to get 95% of the bounding box right (you need these rules for shared
libraries, you need these rules to access the user's home directory, you need
these other rules to talk TCP to the net, etc). There's a nice tool that
converts any remaining rejection messages into rules you can add to the policy.
The problem is twofold: (a) that way you can never be sure you got *all* the
rules right and (b) the missing rules are almost always in squirrelly little
error-handling code that gets invoked once in a blue moon. So in this case,
you end up with trying to debug the SIGKILL that happened when the process was
already in trouble for some other reason...
"Wow. Who would have guessed that program only called gettimeofday() in
the error handler for when it was formatting its crash message?"
Exactly.
Attachment:
pgp00000.pgp
Description: PGP signature