[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Ingo Molnar
mingo at elte.hu
Tue May 17 23:10:58 EST 2011
* James Morris <jmorris at namei.org> wrote:
> On Mon, 16 May 2011, Ingo Molnar wrote:
>
> > > Not really.
> > >
> > > Firstly, what is the security goal of these restrictions? [...]
> >
> > To do what i described above? Namely:
> >
> > " Sandboxed code should only be allowed to open files in /home/sandbox/, /lib/
> > and /usr/lib/ "
>
> These are access rules, they don't really describe a high-level security
> goal. [...]
Restrictng sandboxed code to only open files within a given VFS namespace
boundary sure sounds like a high-level security goal to me.
If implemented and set up correctly then it restricts sandboxed code to only be
able to open files reachable via that VFS sub-namespace.
That is a rather meaningful high-level concept. What higher level concept do
you want to argue?
> [...] How do you know it's ok to open everything in these directories?
How do you know it's ok to open /etc/hosts? The sysadmin has configured the
system that way.
How do you know that it's ok for sandboxed code to open files in
/home/sandbox/? The sandbox developer has configured the system that way.
I'm not sure i get your point.
Thanks,
Ingo
More information about the Linuxppc-dev
mailing list