Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
From: Ingo Molnar <hidden>
Date: 2011-05-17 13:10:58
Also in:
linux-arm-kernel, linuxppc-dev
* James Morris [off-list ref] wrote:
On Mon, 16 May 2011, Ingo Molnar wrote:quoted
quoted
Not really. Firstly, what is the security goal of these restrictions? [...]To do what i described above? Namely: " Sandboxed code should only be allowed to open files in /home/sandbox/, /lib/ and /usr/lib/ "These are access rules, they don't really describe a high-level security goal. [...]
Restrictng sandboxed code to only open files within a given VFS namespace boundary sure sounds like a high-level security goal to me. If implemented and set up correctly then it restricts sandboxed code to only be able to open files reachable via that VFS sub-namespace. That is a rather meaningful high-level concept. What higher level concept do you want to argue?
[...] How do you know it's ok to open everything in these directories?
How do you know it's ok to open /etc/hosts? The sysadmin has configured the system that way. How do you know that it's ok for sandboxed code to open files in /home/sandbox/? The sandbox developer has configured the system that way. I'm not sure i get your point. Thanks, Ingo