Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering

From: Ingo Molnar
Date: Thu May 26 2011 - 15:46:43 EST

Next message: Eric Dumazet: "Re: Kernel crash after using new Intel NIC (igb)"
Previous message: Markus Trippelsdorf: ""mm: don't access vm_flags as 'int'" build failure"
In reply to: Eric Paris: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering"
Next in thread: david: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* david@xxxxxxx <david@xxxxxxx> wrote:

> On Thu, 26 May 2011, Ingo Molnar wrote:
>
> >* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> >>It also gets rid of all configuration - one of the things that
> >>makes most security frameworks (look at selinux, but also just
> >>ACL's etc) such a crazy rats nest is the whole "set up for other
> >>processes". If it's designed very much to be about just the "self"
> >>process (after initialization etc), then I think that avoids pretty
> >>much all the serious issues.
> >
> >That's how the event filters work currently: even when inherited they
> >get removed when exec-ing a setuid task, so they cannot leak into
> >privileged context and cannot modify execution there.
> >
> >Inheritance works when requested, covering only same-credential child
> >tasks, not privileged successors.
>
> this is a very reasonable default, but there should be some way of
> saying that you want the restrictions to carry over to the suid
> task (I really know what I'm doing switch)

Unless you mean that root should be able to do it it's a security
hole both for events and for filters:

- for example we dont want really finegrained events to be used to
BTS hw-trace sshd and thus enable it to discover cryptographic
properties of the private key sshd is using.

- we do not want to *modify* the execution flow of a setuid program,
that can lead to exploits: by pushing the privileged codepath into
a condition that can never occur on a normal system - and thus can
push it into doing something it was not intended to do.

data damage could be done as well: for example if the privileged
code is logging into a system file then modifying execution can
damage the log file.

So it's not a good idea in general to allow unprivileged code to
modify the execution of privileged code. In fact it's not a good idea
to allow it to simply *observe* privileged code. It must remain a
black box with very few information leaking outwards.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Dumazet: "Re: Kernel crash after using new Intel NIC (igb)"
Previous message: Markus Trippelsdorf: ""mm: don't access vm_flags as 'int'" build failure"
In reply to: Eric Paris: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering"
Next in thread: david: "Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]