Re: [PATCH v4 03/13] seccomp_filters: new mode with configurablesyscall filters

[Stephen Smalley]

On Fri, 2011-06-03 at 18:16 -0400, Colin Walters wrote:
> On Fri, Jun 3, 2011 at 4:34 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote:
> > (Any thoughts specifically on the mutex use would be greatly appreciated!)
> >
> > This change adds a new seccomp mode which specifies the allowed system
> > calls dynamically.
> 
> One thing to consider (not sure if it's been discussed, but I think
> not) is whether some of the LSMs should hook this.
> 
> Notably, it looks like SELinux doesn't have an access vector for prctl
> at all now; it doesn't hook task_prctl from what I see, and so we fall
> back to cap_task_prctl.  While I know the idea of restricting a
> process' ability to enter seccomp is a bit perverse, we should
> probably at least allow mandatory controls.  James?

I may be missing something, but so long as seccomp can only be enabled
by a process on itself and is not inherited across exec (or as in this
case prohibits exec), then I don't see why MAC systems should care.

Suppose we did add a MAC check on enabling seccomp.  Under what
circumstances would we want to deny a process the ability to further
restrict its own actions?

Denying the ability to enable seccomp could itself lead to
vulnerabilities, as applications have shown that they often fail to
check or handle errors from privilege-limiting calls correctly.

The situation would differ if seccomp could be enabled for a different
target process than current, or if it could be inherited across exec.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/