Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering

From: Ingo Molnar
Date: Thu May 26 2011 - 14:54:44 EST



* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> And if you filter system calls, it's entirely possible that you can
> attack suid executables through such a vector. Your "limit system
> calls for security" security suddenly turned into "avoid the system
> call that made things secure"!

That should not be possible with Will's event filter based solution
(his last submitted patch), due to this code in fs/exec.c (which is
in your upstream tree as well):

/*
* Flush performance counters when crossing a
* security domain:
*/
if (!get_dumpable(current->mm))
perf_event_exit_task(current);

This will drop all filters if a setuid-root (or whatever setuid)
binary is executed from a filtered environment.

Does this cover the case you were thinking of?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/