* Eric W. Biederman <ebied...@xmission.com> wrote:
> Ingo Molnar <mi...@kernel.org> writes:
>
> > * Eric W. Biederman <ebied...@xmission.com> wrote:
> >
> >> The trouble with attributes is that means you can't filter your system
> >> call arguments with seccomp. [...]
> >
> > There's nothing keeping seccomp from securely fetching those arguments and
> > extending filtering to them as well ...
> >
> > Allowing that would make sense for a lot of other system calls as
> > well.
>
> Possibly. The challenge is that if the fetch for the kernel to use
> those arguments is different from the fetch of seccomp to test those
> arguments you have a time of test vs time of use race.
Those fetched values should obviously then be used to call permitted system
calls.
> Given the location of the seccomp hook at the kernel user space border
> there is no easy way for seccomp to share the fetch with the system
> call itself.
>
> So I don't see how seccomp could perform the fetch securely.
Looks like more of a seccomp mis-design/mis-implementation than some
fundamental
problem.
Mis-designed security features should not hinder system call design.
Thanks,
Ingo
_______________________________________________
Y2038 mailing list
Y2038@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/y2038
