Re: Using ftrace/perf as a basis for generic seccomp

From: Eric Paris
Date: Fri Feb 04 2011 - 11:37:26 EST

Next message: dann . frazier: "[PATCH] [ocfs2] Use a kobject instead of a kset"
Previous message: Gergely Nagy: "Re: CAP_SYSLOG, 2.6.38 and user space"
In reply to: Peter Zijlstra: "Re: Using ftrace/perf as a basis for generic seccomp"
Next in thread: Stefan Fritsch: "Re: Using ftrace/perf as a basis for generic seccomp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2011-02-03 at 23:06 +0100, Stefan Fritsch wrote:

> - only allow syscalls in the mode (non-compat/compat) that the prctl
> call was made in

This is what I was thinking. If it was a compat task when it dropped
things from the set of syscalls we should implicitly deny all non-compat
syscalls, and vice versa.

> - deny exec of setuid/setgid binaries
> - deny exec of binaries with filesystem capabilities

I think both of these are wrong to try to address here. The right way
to handle these is to

1) set prctl(SECBIT_NOROOT)
2) drop all caps from the bset, pP, pE, and pI
3) make sure the setuid(2) syscall (not to be confused with SETUID
filesystem bit) is not in the set of allowed syscalls. Thus rendering
suid and file with fcaps irrelevant.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: dann . frazier: "[PATCH] [ocfs2] Use a kobject instead of a kset"
Previous message: Gergely Nagy: "Re: CAP_SYSLOG, 2.6.38 and user space"
In reply to: Peter Zijlstra: "Re: Using ftrace/perf as a basis for generic seccomp"
Next in thread: Stefan Fritsch: "Re: Using ftrace/perf as a basis for generic seccomp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]