Re: seccomp for 2.6.11-rc1-bk8
From: Ingo Molnar
Date: Fri Jan 21 2005 - 07:57:27 EST
* Ingo Molnar <mingo@xxxxxxx> wrote:
> > > This is the seccomp patch ported to 2.6.11-rc1-bk8, that I need for
> > > Cpushare (until trusted computing will hit the hardware market).
> > > [...]
> >
> > why do you need any kernel code for this? This seems to be a limited
> > ptrace implementation: restricting untrusted userspace code to only be
> > able to exec read/write/sigreturn.
> >
> > So this patch, unless i'm missing something, duplicates in essence what
> > ptrace can do [...]
>
> there's one thing ptrace wont do: if the ptrace parent dies
> unexpectedly and the child was 'running' (there is a small window
> where the child might not be stopped and where this may happen) then
> the child can get runaway. While i think this is theoretical (UML
> doesnt suffer from this problem), it is simple to fix - find below a
> proof-of-concept patch that introduces PTRACE_ATTACH_JAIL - ptraced
> children can never escape out of such a jail. (barely tested - but you
> get the idea.)
maybe this could even be fit into existing ptrace semantics, without any
need for PTRACE_ATTACH_JAIL. What we need is to catch the case where a
ptraced child is running (i.e. the signal_wake_up() has already been
done, and the parent is waiting for the child to stop again), and the
ptrace parent is killed unexpectedly. Would it be a correct fix to just
unconditionally stop the child in this case (and leave it hanging in
such a state)? Or to kill it right away?
Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/