RE: [kernel-hardening] [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-24 Thread Daniel Sangorrin
Hi, Jann, Andy, Alexei, Kees and Paul: thanks a lot for your comments on my RFC!!. There were a few important points that I didn't mention but are critical to understand what I was trying to do. The focus of the patch was on protecting "real-time embedded IoT devices" such as a PLC

RE: [kernel-hardening] [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-24 Thread Daniel Sangorrin
Hi, Jann, Andy, Alexei, Kees and Paul: thanks a lot for your comments on my RFC!!. There were a few important points that I didn't mention but are critical to understand what I was trying to do. The focus of the patch was on protecting "real-time embedded IoT devices" such as a PLC

Re: [kernel-hardening] Re: [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Paul Moore
On Fri, Jan 22, 2016 at 4:23 PM, Kees Cook wrote: > Yeah, and if we break abi, we need to add further sanity checking to > the parser to determine which "version" of seccomp_data we need. I'm > not convinced that there is enough utility here to break ABI. PLEASE do not break the seccomp ABI for

Re: [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Kees Cook
On Fri, Jan 22, 2016 at 9:30 AM, Alexei Starovoitov wrote: > On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: >> This patch allows applications to restrict the order in which >> its system calls may be requested. In order to do that, we >> provide seccomp-BPF scripts with

Re: [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Alexei Starovoitov
On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: > This patch allows applications to restrict the order in which > its system calls may be requested. In order to do that, we > provide seccomp-BPF scripts with information about the > previous system call requested. > > An example

Re: [kernel-hardening] [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Andy Lutomirski
On Fri, Jan 22, 2016 at 2:48 AM, Jann Horn wrote: > On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: >> This patch allows applications to restrict the order in which >> its system calls may be requested. In order to do that, we >> provide seccomp-BPF scripts with information

Re: [kernel-hardening] [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Jann Horn
On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: > This patch allows applications to restrict the order in which > its system calls may be requested. In order to do that, we > provide seccomp-BPF scripts with information about the > previous system call requested. > > An example

Re: [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Kees Cook
On Fri, Jan 22, 2016 at 9:30 AM, Alexei Starovoitov wrote: > On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: >> This patch allows applications to restrict the order in which >> its system calls may be requested. In order to do that, we >> provide

Re: [kernel-hardening] [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Jann Horn
On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: > This patch allows applications to restrict the order in which > its system calls may be requested. In order to do that, we > provide seccomp-BPF scripts with information about the > previous system call requested. > > An example

Re: [kernel-hardening] Re: [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Paul Moore
On Fri, Jan 22, 2016 at 4:23 PM, Kees Cook wrote: > Yeah, and if we break abi, we need to add further sanity checking to > the parser to determine which "version" of seccomp_data we need. I'm > not convinced that there is enough utility here to break ABI. PLEASE do not

Re: [kernel-hardening] [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Andy Lutomirski
On Fri, Jan 22, 2016 at 2:48 AM, Jann Horn wrote: > On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: >> This patch allows applications to restrict the order in which >> its system calls may be requested. In order to do that, we >> provide seccomp-BPF scripts with

Re: [RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-22 Thread Alexei Starovoitov
On Fri, Jan 22, 2016 at 03:30:00PM +0900, Daniel Sangorrin wrote: > This patch allows applications to restrict the order in which > its system calls may be requested. In order to do that, we > provide seccomp-BPF scripts with information about the > previous system call requested. > > An example

[RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-21 Thread Daniel Sangorrin
This patch allows applications to restrict the order in which its system calls may be requested. In order to do that, we provide seccomp-BPF scripts with information about the previous system call requested. An example use case consists of detecting (and stopping) return oriented attacks that

[RFC PATCH 1/1] seccomp: provide information about the previous syscall

2016-01-21 Thread Daniel Sangorrin
This patch allows applications to restrict the order in which its system calls may be requested. In order to do that, we provide seccomp-BPF scripts with information about the previous system call requested. An example use case consists of detecting (and stopping) return oriented attacks that