Re: secure computing for 2.6.7

[chris]

On Sun, 1 Aug 2004, Andrea Arcangeli wrote:

> On Sun, Aug 01, 2004 at 01:01:10PM +0100, chris@xxxxxxxxxxxxxxxx wrote:
> > Hi Andrea,
> >
> > Do you have plans to generalize seccomp into somelike like a "syscall
> > firewall"? This _would_ be useful to many apps, and provide good security

[...]

> Seems like a few people is interested in what you suggest above. it'd be
> very trivial to add a seccomp-mode = 2 that adds more syscalls like the
> socket syscalls like accept/sendfile/send/recv and also the open syscall
> (which means you want to use chroot still).  In the code you can see I
> wrote it so that more modes can be added freely. I mean it has some
> flexibility already.  vsftpd could enable the seccomp mode 2 on itself
> after it has initialized.

Using the above approach, we (the app writers) would never agree on the
syscall lists required for different seccomp modes ;-)

How hard would it be to have a per-task bitmap of syscalls allowed? This
way, a task could restrict to the exact subset of syscalls required for
maximum security.
The bitmap would
- Be allocated on demand (for no overhead in the common case)
- Deny all syscalls not covered by the supplied bitmap, to cater for
syscall table expansion
- Be inherited across fork and (probably) shared across clone

Cheers
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/