Re: [PATCH v5 2/3] seccomp_filters: system call filtering using BPF
From: Andrew Lutomirski
Date: Sat Jan 28 2012 - 11:28:37 EST
On Fri, Jan 27, 2012 at 3:24 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote:
> Filter programs will be inherited across fork/clone and execve.
> However, if the task attaching the filter is unprivileged
> (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This
> ensures that unprivileged tasks cannot attach filters that affect
> privileged tasks (e.g., setuid binary).
This makes me nervous -- I don't think that the behavior of any new
API should be different depending on privilege level -- adding a
privilege should just make things work that would otherwise fail. You
might end up with bugs where a program is completely safe if run
without CAP_SYS_ADMIN but, if run with CAP_SYS_ADMIN, bad things
happen. (The behavior of setuid(geteuid()) is an example of this
problem.)
One way to fix it is to make setting a filter program fail unless
capable(CAP_SYS_ADMIN ) || no_new_privs.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/