Re: [libseccomp-discuss] ANN: libseccomp

From: Paul Moore
Date: Mon Apr 16 2012 - 10:15:38 EST

On Friday, April 13, 2012 11:47:08 PM Henrique de Moraes Holschuh wrote:
> On Fri, 13 Apr 2012, Paul Moore wrote:
> > the seccomp filter into the kernel. By default libseccomp attempts to set
> > NO_NEW_PRIVS but does not fail if prctl(NO_NEW_PRIVS) returns with an
> > error;
> Isn't that dangerous in non-obvious ways, as in it can actually
> cause/activate/enable/open security issues on priviledged processes that
> don't expect whatever filtering seccomp will subject them to?

We could debate this point but it turns out it is a bit of a non-issue as the
kernel code requires NO_NEW_PRIVS unless CAP_SYS_ADMIN is set; if neither
conditions are true the seccomp filter with fail (check Will's patches).

If prctl(NO_NEW_PRIVS) fails the error is always returned, and the
attribute/boolean to disable this functionality has been removed since it
likely serves little purpose.

> Defaults are important, as they're what people _who don't know any better_
> are likely to use.

Agreed. You'll never hear me argue otherwise.

paul moore

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at