Re: [PATCH v4 03/13] seccomp_filters: new mode with configurablesyscall filters

[Stephen Smalley]

On Mon, 2011-06-06 at 11:25 -0400, Colin Walters wrote:
> On Mon, Jun 6, 2011 at 8:48 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> >
> > Suppose we did add a MAC check on enabling seccomp.  Under what
> > circumstances would we want to deny a process the ability to further
> > restrict its own actions?
> 
> Well, I could understand a simple argument about limiting the exposed
> kernel API; again I know this is sort of ironic, but seccomp is a
> pretty complex new API, and there will be processes that *aren't*
> using it for whatever reason and might be exploited.
> 
> I'm not arguing strongly for this, I just wanted to bring it up.  The
> set of hooks seems rather inconsistent right now.
> 
> Given the above rationale, why for example is there a SELinux access
> vector for sched_getscheduler (process:getsched)?

That can be invoked on a target process other than current, right?
Any operation that enables a process to observe or modify the state of
another process requires a MAC check.

> > The situation would differ if seccomp could be enabled for a different
> > target process than current, or if it could be inherited across exec.
> 
> It's based on prctl() so only affects the current process, and as for
> the latter - it looks like the current state is that if seccomp is
> active, exec is always disallowed.

Right, so I don't think it requires a MAC check presently.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/