On Wed, 2012-02-22 at 09:19 +0100, Indan Zupancic wrote: [...] > Alternative approach: Tell the arch at filter install time and only run the > filters with the same arch as the current system call. If no filters are run, > deny the systemcall. > > Advantages: > > - Filters don't have to check the arch every syscall entry. > > - Secure by default. Filters don't have to do anything arch specific to > be secure, no surprises possible. > > - If a new arch comes into existence, there is no chance of old filters > becoming buggy and insecure. This is especially true for archs that > had only one mode, but added another one later on: Old filters had no > need to check the mode at all. [...] What about when there are multiple layers of restrictions? So long as any one layer covers the new architecture, there is no default-deny even though the other layers might not cover it. I would have thought the way to make sure the architecture is always checked is to pack it together with the syscall number. Ben. -- Ben Hutchings, Staff Engineer, Solarflare Not speaking for my employer; that's the marketing department's job. They asked us to note that Solarflare product names are trademarked. -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
