On 06/02, Pavel Emelyanov wrote: > > > And I am not sure I understand why do we need the additional security > > check, but I leave this to you and Andy. > > > > If you have the rights to trace this task, then you can do anything > > the tracee could do without the filtering. > > I think _this_ check is required, otherwise the seccomp-ed task (in > filtered mode) fork-s a child, then this child ptrace-attach to parent > (allowed) then suspend its seccomd. If you force (hack) that task to do this. And if the seccomp-ed task does this by its own we do not care. > And -- we have unpriviledged process > de-seccomped. Heh. The case when the priviledged CAP_SYS_ADMIN process escapes the filtering is much worse I think ;) But as I said I will nott argue, just I think this needs a bit of documentantion. And I agree in advance with something like "better be safe than sorry, we can always remove this later" comment or a note in the changelog. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
