[PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Ingo Molnar
mingo at elte.hu
Thu May 26 18:35:13 EST 2011
* Pavel Machek <pavel at ucw.cz> wrote:
> On Mon 2011-05-16 10:36:05, James Morris wrote:
> > On Fri, 13 May 2011, Ingo Molnar wrote:
> > How do you reason about the behavior of the system as a whole?
> >
> >
> > > I argue that this is the LSM and audit subsystems designed right: in the long
> > > run it could allow everything that LSM does at the moment - and so much more
> > > ...
> >
> > Now you're proposing a redesign of the security subsystem. That's a
> > significant undertaking.
> >
> > In the meantime, we have a simple, well-defined enhancement to seccomp
> > which will be very useful to current users in reducing their kernel attack
> > surface.
>
> Well, you can do the same with subterfugue, even without kernel
> changes. But that's ptrace -- slow. (And it already shows that
> syscall based filters are extremely tricky to configure).
Yes, if you use syscall based filters to implement access to
underlying objects where the access methods do not capture essential
lifetime events properly (such as files) they you'll quickly run into
trouble achieving a secure solution.
But you can robustly use syscall filters to control the underlying
primary *resource*: various pieces of kernel code with *negative*
utility to the current app - which have no use to the app but pose
risks in terms of potential exploits in them.
But you can use event filters to implement arbitrary security
policies robustly.
For example file objects: if you generate the right events for a
class of objects then you can control access to them very robustly.
It's not a surprise that this is what SELinux does primarily: it has
lifetime event hooks at the inode object (and socket, packet, etc.)
level and captures those access attempts and validates them against
the permissions of that object, in light of the accessing task's
credentials.
Exactly that can be done with Will's patch as well, if its potential
scope of event-checking points is not stupidly limited to the syscall
boundary alone ...
Thanks,
Ingo
More information about the Linuxppc-dev
mailing list