Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758191Ab1EZSes (ORCPT ); Thu, 26 May 2011 14:34:48 -0400 Received: from smtp1.linux-foundation.org ([140.211.169.13]:36934 "EHLO smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753523Ab1EZSer (ORCPT ); Thu, 26 May 2011 14:34:47 -0400 MIME-Version: 1.0 In-Reply-To: References: <1305807728.11267.25.camel@gandalf.stny.rr.com> <1306254027.18455.47.camel@twins> <20110524195435.GC27634@elte.hu> <20110525150153.GE29179@elte.hu> <20110525180100.GY19633@outflux.net> <20110525191152.GC19633@outflux.net> From: Linus Torvalds Date: Thu, 26 May 2011 11:33:52 -0700 Message-ID: Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering To: Will Drewry Cc: Colin Walters , Kees Cook , Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Steven Rostedt , linux-kernel@vger.kernel.org, James Morris Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1582 Lines: 37 On Thu, May 26, 2011 at 10:38 AM, Will Drewry wrote: >> >> One option is to just not ever allow execve() from inside a restricted >> environment. > > That'd certainly be fine with me. So if it ends up being purely a "internal to the process" thing, then I'm much happier about it - it not only limits the scope of things sufficiently that I don't worry too much about security issues, but it makes it very clear that it's about a process going into "lock-down" mode on its own. It also gets rid of all configuration - one of the things that makes most security frameworks (look at selinux, but also just ACL's etc) such a crazy rats nest is the whole "set up for other processes". If it's designed very much to be about just the "self" process (after initialization etc), then I think that avoids pretty much all the serious issues. A lot of server processes could probably use it as a way to say "Hey, I guarantee that I will only open new files read-only, and will only write to the socket that was already opened for me by the accept", and explicitly limit their worker threads that way. If that is really sufficient for some chrome sandboxing, then hey, that's all fine. Sometimes limiting yourself (rather than looking for some bigger "generic" solution) is the right answer. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/