diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-05-21 23:27:36 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-05-21 23:27:36 -0400 |
| commit | cb60e3e65c1b96a4d6444a7a13dc7dd48bc15a2b (patch) | |
| tree | 4322be35db678f6299348a76ad60a2023954af7d | |
| parent | 99262a3dafa3290866512ddfb32609198f8973e9 (diff) | |
| parent | ff2bb047c4bce9742e94911eeb44b4d6ff4734ab (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"New notable features:
- The seccomp work from Will Drewry
- PR_{GET,SET}_NO_NEW_PRIVS from Andy Lutomirski
- Longer security labels for Smack from Casey Schaufler
- Additional ptrace restriction modes for Yama by Kees Cook"
Fix up trivial context conflicts in arch/x86/Kconfig and include/linux/filter.h
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits)
apparmor: fix long path failure due to disconnected path
apparmor: fix profile lookup for unconfined
ima: fix filename hint to reflect script interpreter name
KEYS: Don't check for NULL key pointer in key_validate()
Smack: allow for significantly longer Smack labels v4
gfp flags for security_inode_alloc()?
Smack: recursive tramsmute
Yama: replace capable() with ns_capable()
TOMOYO: Accept manager programs which do not start with / .
KEYS: Add invalidation support
KEYS: Do LRU discard in full keyrings
KEYS: Permit in-place link replacement in keyring list
KEYS: Perform RCU synchronisation on keys prior to key destruction
KEYS: Announce key type (un)registration
KEYS: Reorganise keys Makefile
KEYS: Move the key config into security/keys/Kconfig
KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat
Yama: remove an unused variable
samples/seccomp: fix dependencies on arch macros
Yama: add additional ptrace scopes
...
102 files changed, 3678 insertions, 1230 deletions
diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt new file mode 100644 index 00000000000..597c3c58137 --- /dev/null +++ b/Documentation/prctl/seccomp_filter.txt | |||
| @@ -0,0 +1,163 @@ | |||
| 1 | SECure COMPuting with filters | ||
| 2 | ============================= | ||
| 3 | |||
| 4 | Introduction | ||
| 5 | ------------ | ||
| 6 | |||
| 7 | A large number of system calls are exposed to every userland process | ||
| 8 | with many of them going unused for the entire lifetime of the process. | ||
| 9 | As system calls change and mature, bugs are found and eradicated. A | ||
| 10 | certain subset of userland applications benefit by having a reduced set | ||
| 11 | of available system calls. The resulting set reduces the total kernel | ||
| 12 | surface exposed to the application. System call filtering is meant for | ||
| 13 | use with those applications. | ||
| 14 | |||
| 15 | Seccomp filtering provides a means for a process to specify a filter for | ||
| 16 | incoming system calls. The filter is expressed as a Berkeley Packet | ||
| 17 | Filter (BPF) program, as with socket filters, except that the data | ||
| 18 | operated on is related to the system call being made: system call | ||
| 19 | number and the system call arguments. This allows for expressive | ||
| 20 | filtering of system calls using a filter program language with a long | ||
| 21 | history of being exposed to userland and a straightforward data set. | ||
| 22 | |||
| 23 | Additionally, BPF makes it impossible for users of seccomp to fall prey | ||
| 24 | to time-of-check-time-of-use (TOCTOU) attacks that are common in system | ||
| 25 | call interposition frameworks. BPF programs may not dereference | ||
| 26 | pointers which constrains all filters to solely evaluating the system | ||
| 27 | call arguments directly. | ||
| 28 | |||
| 29 | What it isn't | ||
| 30 | ------------- | ||
| 31 | |||
| 32 | System call filtering isn't a sandbox. It provides a clearly defined | ||
| 33 | mechanism for minimizing the exposed kernel surface. It is meant to be | ||
| 34 | a tool for sandbox developers to use. Beyond that, policy for logical | ||
| 35 | behavior and information flow should be managed with a combination of | ||
| 36 | other system hardening techniques and, potentially, an LSM of your | ||
| 37 | choosing. Expressive, dynamic filters provide further options down this | ||
| 38 | path (avoiding pathological sizes or selecting which of the multiplexed | ||
| 39 | system calls in socketcall() is allowed, for instance) which could be | ||
| 40 | construed, incorrectly, as a more complete sandboxing solution. | ||
| 41 | |||
| 42 | Usage | ||
| 43 | ----- | ||
