Re: [PATCH v4 03/13] seccomp_filters: new mode with configurablesyscall filters

From: Colin Walters
Date: Mon Jun 06 2011 - 11:25:26 EST


On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> Suppose we did add a MAC check on enabling seccomp. ÂUnder what
> circumstances would we want to deny a process the ability to further
> restrict its own actions?

Well, I could understand a simple argument about limiting the exposed
kernel API; again I know this is sort of ironic, but seccomp is a
pretty complex new API, and there will be processes that *aren't*
using it for whatever reason and might be exploited.

I'm not arguing strongly for this, I just wanted to bring it up. The
set of hooks seems rather inconsistent right now.

Given the above rationale, why for example is there a SELinux access
vector for sched_getscheduler (process:getsched)?

> Denying the ability to enable seccomp could itself lead to
> vulnerabilities, as applications have shown that they often fail to
> check or handle errors from privilege-limiting calls correctly.

Right.

> The situation would differ if seccomp could be enabled for a different
> target process than current, or if it could be inherited across exec.

It's based on prctl() so only affects the current process, and as for
the latter - it looks like the current state is that if seccomp is
active, exec is always disallowed.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/