Re: Using ftrace/perf as a basis for generic seccomp

[Stefan Fritsch]

On Fri, 4 Feb 2011, Frederic Weisbecker wrote:
> Note it's not about tracing here. It's about abstracting some tracing
> features to make them standalone and usable outside tracing.
>
> But yeah, now that I consider the fact that checks on pointers are
> racy until objects are resolved (got my first security lesson), such
> deep filtering up to dereferencing pointers is then pointless.
>
> Now there are still immediate values for which there is still a point
> (filtering fd, filtering opening mode, etc...).
>
> >  Do we have a user that can articulate a need for greater
> > flexibility in their use of such a hardening tool?
>
> So yeah, indeed we probably need to get more usecases to consider it.

A really major use case is socketcall(2). All socket related syscalls 
(accept, bind, connect, receivemsg, ...) are implemented as socketcall 
with an appropriate argument. There will be many cases where you want a 
sandboxed process to be able to do recvmsg(2) to receive new file 
descriptors over an already open unix-domain socket from a broker process. 
But you may want to disallow other socket operations, especially listen, 
accept, and connect.

Of course one could also add some special case handling for socketcall 
in seccomp instead of using the full filtering.

Cheers,
Stefan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/