Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1)

[RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-06-30
[PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Meredydd Luff <hidden> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Meredydd Luff <hidden> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · David Drysdale <hidden> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-09
[PATCH 02/11] selftests: Add test of O_BENEATH_ONLY & openat(2) · David Drysdale <hidden> · 2014-06-30
[PATCH 10/11] capsicum: invocation of new LSM hooks · David Drysdale <hidden> · 2014-06-30
[PATCH 2/5] man-pages: capsicum.7: describe Capsicum capability framework · David Drysdale <hidden> · 2014-06-30
[PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-06-30
[PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · David Drysdale <hidden> · 2014-07-01
Re: [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · Andy Lutomirski <luto@amacapital.net> · 2014-07-01
[PATCH 3/5] man-pages: rights.7: Describe Capsicum primary rights · David Drysdale <hidden> · 2014-06-30
[PATCH 05/11] capsicum: convert callers to use fgetr() etc · David Drysdale <hidden> · 2014-06-30
[PATCH 03/11] capsicum: rights values and structure definitions · David Drysdale <hidden> · 2014-06-30
[PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc · David Drysdale <hidden> · 2014-06-30
[PATCH 04/11] capsicum: implement fgetr() and friends · David Drysdale <hidden> · 2014-06-30
[PATCH 09/11] capsicum: implementations of new LSM hooks · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 09/11] capsicum: implementations of new LSM hooks · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 09/11] capsicum: implementations of new LSM hooks · Paul Moore <paul@paul-moore.com> · 2014-07-02
Re: [PATCH 09/11] capsicum: implementations of new LSM hooks · David Drysdale <hidden> · 2014-07-02
[PATCH 06/11] capsicum: implement sockfd_lookupr() · David Drysdale <hidden> · 2014-06-30
[PATCH 08/11] capsicum: add new LSM hooks on FD/file conversion · David Drysdale <hidden> · 2014-06-30
[PATCH 11/11] capsicum: add syscalls to limit FD rights · David Drysdale <hidden> · 2014-06-30
[PATCH 1/5] man-pages: open.2: describe O_BENEATH_ONLY flag · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 1/5] man-pages: open.2: describe O_BENEATH_ONLY flag · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-03
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Loganaden Velvindron <hidden> · 2014-07-03
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-07-03
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-04
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Alexei Starovoitov <hidden> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Kees Cook <hidden> · 2014-07-08
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Pavel Machek <hidden> · 2014-08-16

From: Pavel Machek <hidden>
Date: 2014-08-16 15:42:02
Also in: lkml, qemu-devel

Hi!

quoted

I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR.   You could do it by running the file descriptor's seccomp-bpf
program once per iocb with synthesized syscall numbers and argument
vectors.


Right, but generating the equivalent seccomp input environment for an
equivalent single-fd syscall is going to be subtle and complex (which
are worrying words to mention in a security context).  And how many
other syscalls are going to need similar special-case processing?
(poll? select? send[m]msg? ...)


Yeah, the difficult part is getting the right balance between:

1) limitations due to seccomp's impossibility to chase pointers (which is
not something that can be lifted, as it's required for correctness)

btw once seccomp moves to eBPF it will be able to 'chase pointers',
since pointer walking will be possible via bpf_load_pointer() function call,
which is a wrapper of:

Even if you could make capscium work with eBPF... please don't.

Capscium is kind of obvious, elegant solution. BPF is quite
complex. And security semantics should not be pushed to userspace...

						Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help