Re: [PATCH v4 03/13] seccomp_filters: new mode with configurablesyscall filters
From: Stephen Smalley
Date: Mon Jun 06 2011 - 12:37:30 EST
On Mon, 2011-06-06 at 11:25 -0400, Colin Walters wrote:
> On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> >
> > Suppose we did add a MAC check on enabling seccomp. Under what
> > circumstances would we want to deny a process the ability to further
> > restrict its own actions?
>
> Well, I could understand a simple argument about limiting the exposed
> kernel API; again I know this is sort of ironic, but seccomp is a
> pretty complex new API, and there will be processes that *aren't*
> using it for whatever reason and might be exploited.
>
> I'm not arguing strongly for this, I just wanted to bring it up. The
> set of hooks seems rather inconsistent right now.
>
> Given the above rationale, why for example is there a SELinux access
> vector for sched_getscheduler (process:getsched)?
That can be invoked on a target process other than current, right?
Any operation that enables a process to observe or modify the state of
another process requires a MAC check.
> > The situation would differ if seccomp could be enabled for a different
> > target process than current, or if it could be inherited across exec.
>
> It's based on prctl() so only affects the current process, and as for
> the latter - it looks like the current state is that if seccomp is
> active, exec is always disallowed.
Right, so I don't think it requires a MAC check presently.
--
Stephen Smalley
National Security Agency
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/