[Top] [All Lists]

Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filt

To: Pavel Machek <>
Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
From: Ingo Molnar <>
Date: Thu, 26 May 2011 10:35:13 +0200
Cc: James Morris <>,,, Peter Zijlstra <>, Frederic Weisbecker <>, Heiko Carstens <>, Oleg Nesterov <>, David Howells <>, Paul Mackerras <>, Eric Paris <>, "H. Peter Anvin" <>,, Jiri Slaby <>,, Russell King <>,, Linus Torvalds <>, Ingo Molnar <>, Benjamin Herrenschmidt <>,, "Serge E. Hallyn" <>, Peter Zijlstra <>, Steven Rostedt <>, Tejun Heo <>, Thomas Gleixner <>,, Michal Marek <>, Michal Simek <>, Will Drewry <>,,, Ralf Baechle <>, Paul Mundt <>, Martin Schwidefsky <>,, Andrew Morton <>,, "David S. Miller" <>
In-reply-to: <>
Original-recipient: rfc822;
References: <> <> <> <> <> <> <> <> <>
User-agent: Mutt/1.5.20 (2009-08-17)
* Pavel Machek <> wrote:

>   On Mon 2011-05-16 10:36:05, James Morris wrote:
> > On Fri, 13 May 2011, Ingo Molnar wrote:
> > How do you reason about the behavior of the system as a whole?
> > 
> > 
> > > I argue that this is the LSM and audit subsystems designed right: in the 
> > > long 
> > > run it could allow everything that LSM does at the moment - and so much 
> > > more 
> > > ...
> > 
> > Now you're proposing a redesign of the security subsystem.  That's a 
> > significant undertaking.
> > 
> > In the meantime, we have a simple, well-defined enhancement to seccomp 
> > which will be very useful to current users in reducing their kernel attack 
> > surface.
> Well, you can do the same with subterfugue, even without kernel 
> changes. But that's ptrace -- slow. (And it already shows that 
> syscall based filters are extremely tricky to configure).

Yes, if you use syscall based filters to implement access to 
underlying objects where the access methods do not capture essential 
lifetime events properly (such as files) they you'll quickly run into 
trouble achieving a secure solution.

But you can robustly use syscall filters to control the underlying 
primary *resource*: various pieces of kernel code with *negative* 
utility to the current app - which have no use to the app but pose 
risks in terms of potential exploits in them.

But you can use event filters to implement arbitrary security 
policies robustly.

For example file objects: if you generate the right events for a 
class of objects then you can control access to them very robustly.

It's not a surprise that this is what SELinux does primarily: it has 
lifetime event hooks at the inode object (and socket, packet, etc.) 
level and captures those access attempts and validates them against 
the permissions of that object, in light of the accessing task's 

Exactly that can be done with Will's patch as well, if its potential 
scope of event-checking points is not stupidly limited to the syscall 
boundary alone ...



<Prev in Thread] Current Thread [Next in Thread>