Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Thu, Oct 29, 2020 at 07:58:42AM +, Sargun Dhillon wrote: > A mechanism for the thing listening on the listener FD to turn itself on or > off > and indicate that it is no longer interested in receiving notifications and > to > always continue / return an error code, or that it has taken

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 03:47:27PM -0700, Kees Cook wrote: > On Wed, Oct 28, 2020 at 12:18:47PM +0100, Camille Mougey wrote: > > (This is my first message to the kernel list, I hope I'm doing it right) > > Looks good to me! The key was CCing real people. ;) > > > From my understanding, there is

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote: > +luto just in case he has opinions on this > > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey wrote: > > From my understanding, there is no way to delay the activation of > > seccomp filters, for instance "until an _execve_ call". >

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 07:25:45PM +0100, Jann Horn wrote: > On Wed, Oct 28, 2020 at 6:52 PM Rich Felker wrote: > > On Wed, Oct 28, 2020 at 06:34:56PM +0100, Jann Horn wrote: > > > On Wed, Oct 28, 2020 at 5:49 PM Rich Felker wrote: > > > > On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 07:39:41PM +0100, Jann Horn wrote: > On Wed, Oct 28, 2020 at 7:35 PM Rich Felker wrote: > > On Wed, Oct 28, 2020 at 07:25:45PM +0100, Jann Horn wrote: > > > On Wed, Oct 28, 2020 at 6:52 PM Rich Felker wrote: > > > > On Wed, Oct 28, 2020 at 06:34:56PM +0100, Jann Horn

[seccomp] Request for a "enable on execve" mode for Seccomp filters

Hello, (This is my first message to the kernel list, I hope I'm doing it right) >From my understanding, there is no way to delay the activation of seccomp filters, for instance "until an _execve_ call". But this might be useful, especially for tools who sandbox other, non-cooperative,

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 06:34:56PM +0100, Jann Horn wrote: > On Wed, Oct 28, 2020 at 5:49 PM Rich Felker wrote: > > On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote: > > > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey wrote: > > > You're just focusing on execve() - I think it's

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

+luto just in case he has opinions on this On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey wrote: > From my understanding, there is no way to delay the activation of > seccomp filters, for instance "until an _execve_ call". (FWIW, there are some tricks that you can use for this. In particular,

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote: > +luto just in case he has opinions on this > > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey wrote: > > From my understanding, there is no way to delay the activation of > > seccomp filters, for instance "until an _execve_ call". > >

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 12:49:36PM -0400, Rich Felker wrote: > On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote: > > +luto just in case he has opinions on this > > > > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey wrote: > > > From my understanding, there is no way to delay the

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 3:47 PM Kees Cook wrote: > > On Wed, Oct 28, 2020 at 12:18:47PM +0100, Camille Mougey wrote: > > (This is my first message to the kernel list, I hope I'm doing it right) > > 1- self-confinement > 2- launching external processes > a) cooperating > b)

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 12:18:47PM +0100, Camille Mougey wrote: > (This is my first message to the kernel list, I hope I'm doing it right) Looks good to me! The key was CCing real people. ;) > From my understanding, there is no way to delay the activation of > seccomp filters, for instance

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 7:35 PM Rich Felker wrote: > On Wed, Oct 28, 2020 at 07:25:45PM +0100, Jann Horn wrote: > > On Wed, Oct 28, 2020 at 6:52 PM Rich Felker wrote: > > > On Wed, Oct 28, 2020 at 06:34:56PM +0100, Jann Horn wrote: > > > > On Wed, Oct 28, 2020 at 5:49 PM Rich Felker wrote: > >

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 5:49 PM Rich Felker wrote: > On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote: > > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey wrote: > > You're just focusing on execve() - I think it's important to keep in > > mind what happens after execve() for normal,

Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

On Wed, Oct 28, 2020 at 6:52 PM Rich Felker wrote: > On Wed, Oct 28, 2020 at 06:34:56PM +0100, Jann Horn wrote: > > On Wed, Oct 28, 2020 at 5:49 PM Rich Felker wrote: > > > On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote: > > > > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey > > >