[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
James Morris
jmorris at namei.org
Mon May 16 10:36:05 EST 2011
On Fri, 13 May 2011, Ingo Molnar wrote:
> Say i'm a user-space sandbox developer who wants to enforce that sandboxed code
> should only be allowed to open files in /home/sandbox/, /lib/ and /usr/lib/.
>
> It is a simple and sensible security feature, agreed? It allows most code to
> run well and link to countless libraries - but no access to other files is
> allowed.
Not really.
Firstly, what is the security goal of these restrictions? Then, are the
restrictions complete and unbypassable?
How do you reason about the behavior of the system as a whole?
> I argue that this is the LSM and audit subsystems designed right: in the long
> run it could allow everything that LSM does at the moment - and so much more
> ...
Now you're proposing a redesign of the security subsystem. That's a
significant undertaking.
In the meantime, we have a simple, well-defined enhancement to seccomp
which will be very useful to current users in reducing their kernel attack
surface.
We should merge that, and the security subsystem discussion can carry on
separately.
- James
--
James Morris
<jmorris at namei.org>
More information about the Linuxppc-dev
mailing list