Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering usingBPF

From: Alan Cox
Date: Thu Jan 12 2012 - 12:13:54 EST

Next message: Oleg Nesterov: "Re: Q: cgroup: Questions about possible issues in cgroup locking"
Previous message: Konrad Rzeszutek Wilk: "Re: linux 3.3-pre-rc1: Starting domU fails with Error: Failed toquery current memory allocation of dom0."
In reply to: Will Drewry: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Will Drewry: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> more about). Since setuid is privilege escalation, then perhaps it
> makes sense to allow it as an escape hatch.
>
> Would it be sane to just disallow setuid exec exclusively?

I think that is a policy question. I can imagine cases where either
behaviour is the "right" one so it may need to be a parameter ?

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Oleg Nesterov: "Re: Q: cgroup: Questions about possible issues in cgroup locking"
Previous message: Konrad Rzeszutek Wilk: "Re: linux 3.3-pre-rc1: Starting domU fails with Error: Failed toquery current memory allocation of dom0."
In reply to: Will Drewry: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Will Drewry: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]