Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF

From: Steven Rostedt
Date: Thu Jan 12 2012 - 12:18:03 EST

Next message: Randy Dunlap: "Re: [PATCH v2 2/2] Documentation: prctl/seccomp_filter"
Previous message: Oleg Nesterov: "Re: Q: cgroup: Questions about possible issues in cgroup locking"
In reply to: Linus Torvalds: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Andrew Lutomirski: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2012-01-12 at 09:09 -0800, Linus Torvalds wrote:

> The whole "fail security escalations" thing goes way beyond just
> filtering, I think we could seriously try to make it a generic
> feature.

After I wrote this comment I thought the same thing. It would be nice to
have a way to just set a flag to a process that will prevent it from
doing any escalating of privileges.

I totally agree, this would solve a whole host of issues with regard to
security issues in things that shouldn't be a problem but currently are.

-- Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Randy Dunlap: "Re: [PATCH v2 2/2] Documentation: prctl/seccomp_filter"
Previous message: Oleg Nesterov: "Re: Q: cgroup: Questions about possible issues in cgroup locking"
In reply to: Linus Torvalds: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Andrew Lutomirski: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]