Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932914Ab1EZRHW (ORCPT ); Thu, 26 May 2011 13:07:22 -0400 Received: from hrndva-omtalb.mail.rr.com ([71.74.56.124]:63731 "EHLO hrndva-omtalb.mail.rr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757825Ab1EZRHT (ORCPT ); Thu, 26 May 2011 13:07:19 -0400 X-Authority-Analysis: v=1.1 cv=y6zMVzRGPZqd+EkIbWgKRW0ZY5+85Abqc3bXR1aXymM= c=1 sm=0 a=zw1CKeOhDhoA:10 a=5SG0PmZfjMsA:10 a=Q9fys5e9bTEA:10 a=OPBmh+XkhLl+Enan7BmTLg==:17 a=hK-pZKct-4YsXGPFf8kA:9 a=ZyUfxaRzCUF3CiHrBQsA:7 a=PUjeQqilurYA:10 a=OPBmh+XkhLl+Enan7BmTLg==:117 X-Cloudmark-Score: 0 X-Originating-IP: 67.242.120.143 Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering From: Steven Rostedt To: Linus Torvalds Cc: Will Drewry , Colin Walters , Kees Cook , Thomas Gleixner , Ingo Molnar , Peter Zijlstra , linux-kernel@vger.kernel.org, James Morris In-Reply-To: References: <1305807728.11267.25.camel@gandalf.stny.rr.com> <1306254027.18455.47.camel@twins> <20110524195435.GC27634@elte.hu> <20110525150153.GE29179@elte.hu> <20110525180100.GY19633@outflux.net> <20110525191152.GC19633@outflux.net> Content-Type: text/plain; charset="ISO-8859-15" Date: Thu, 26 May 2011 13:07:16 -0400 Message-ID: <1306429636.3857.3.camel@gandalf.stny.rr.com> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1349 Lines: 34 On Thu, 2011-05-26 at 09:46 -0700, Linus Torvalds wrote: > And if you filter system calls, it's entirely possible that you can > attack suid executables through such a vector. Your "limit system > calls for security" security suddenly turned into "avoid the system > call that made things secure"! > > See what I'm saying? So you are not complaining about this implementation, but the use of syscall filtering? There may be some user that says, "oh I don't want my other apps to be able to call setuid" thinking it will secure their application even more. But because that application did the brain dead thing to not check the return code of setuid, and it just happened to be running privileged, it then execs off another application that can root the box. Because, originally that setuid would have succeeded if the user did nothing special, but now with this filtering, and the user thinking that they could limit their app from doing harm, they just opened up a hole that caused their app to do the exact opposite and give the exec'd app full root privileges. Did I get this right? -- Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/