Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering

From: Casey Schaufler
Date: Thu May 26 2011 - 14:43:36 EST

Next message: Mike Snitzer: "Re: dm: pass up rotational flag"
Previous message: H Hartley Sweeten: "RE: [PATCH 1/5] dmaengine: add ep93xx DMA support"
In reply to: Steven Rostedt: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based systemcall filtering"
Next in thread: Steven Rostedt: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based systemcall filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/26/2011 10:07 AM, Steven Rostedt wrote:
> On Thu, 2011-05-26 at 09:46 -0700, Linus Torvalds wrote:
>
>> And if you filter system calls, it's entirely possible that you can
>> attack suid executables through such a vector. Your "limit system
>> calls for security" security suddenly turned into "avoid the system
>> call that made things secure"!
>>
>> See what I'm saying?
> So you are not complaining about this implementation, but the use of
> syscall filtering?
>
> There may be some user that says, "oh I don't want my other apps to be
> able to call setuid" thinking it will secure their application even
> more. But because that application did the brain dead thing to not check
> the return code of setuid, and it just happened to be running
> privileged, it then execs off another application that can root the box.
>
> Because, originally that setuid would have succeeded if the user did
> nothing special, but now with this filtering, and the user thinking that
> they could limit their app from doing harm, they just opened up a hole
> that caused their app to do the exact opposite and give the exec'd app
> full root privileges.
>
> Did I get this right?

Yes. Some system calls are there so that you can turn off
privilege. There was a major exploit with sendmail when capabilities
were first introduced that brought the potential for this sort of
problem into the public eye. Kernel mechanisms intended to provide
additional security have to be massively careful about the impact
they may have on applications that are currently security aware and
that make use of the existing mechanisms. The ACL mechanism is much
more complicated than it probably ought to be to accommodate chmod()
and capabilities go way over the top to deal with traditional root
behavior.

> -- Steve
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Snitzer: "Re: dm: pass up rotational flag"
Previous message: H Hartley Sweeten: "RE: [PATCH 1/5] dmaengine: add ep93xx DMA support"
In reply to: Steven Rostedt: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based systemcall filtering"
Next in thread: Steven Rostedt: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based systemcall filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]