Re: ANN: libseccomp

From: Henrique de Moraes Holschuh
Date: Fri Apr 13 2012 - 22:47:11 EST

Next message: Takuya Yoshikawa: "Re: [PATCH v2 10/16] KVM: MMU: fask check whether page is writable"
Previous message: Nick Bowler: "Regression: bcma: early boot crash on BCM4716 w/ 3.4-rc2+ (bisected)"
In reply to: Paul Moore: "Re: ANN: libseccomp"
Next in thread: Serge Hallyn: "Re: [libseccomp-discuss] ANN: libseccomp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 13 Apr 2012, Paul Moore wrote:
> the seccomp filter into the kernel. By default libseccomp attempts to set
> NO_NEW_PRIVS but does not fail if prctl(NO_NEW_PRIVS) returns with an error;

Isn't that dangerous in non-obvious ways, as in it can actually
cause/activate/enable/open security issues on priviledged processes that
don't expect whatever filtering seccomp will subject them to?

Maybe it would be best if libseccomp were to (by default) bomb out with
an error if prctl(NO_NEW_PRIVS) fails? Defaults are important, as
they're what people _who don't know any better_ are likely to use.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Takuya Yoshikawa: "Re: [PATCH v2 10/16] KVM: MMU: fask check whether page is writable"
Previous message: Nick Bowler: "Regression: bcma: early boot crash on BCM4716 w/ 3.4-rc2+ (bisected)"
In reply to: Paul Moore: "Re: ANN: libseccomp"
Next in thread: Serge Hallyn: "Re: [libseccomp-discuss] ANN: libseccomp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]