* Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Ingo Molnar <mingo@xxxxxxxxxx> writes: > > > * Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > > >> The trouble with attributes is that means you can't filter your system > >> call arguments with seccomp. [...] > > > > There's nothing keeping seccomp from securely fetching those arguments and > > extending filtering to them as well ... > > > > Allowing that would make sense for a lot of other system calls as > > well. > > Possibly. The challenge is that if the fetch for the kernel to use > those arguments is different from the fetch of seccomp to test those > arguments you have a time of test vs time of use race. Those fetched values should obviously then be used to call permitted system calls. > Given the location of the seccomp hook at the kernel user space border > there is no easy way for seccomp to share the fetch with the system > call itself. > > So I don't see how seccomp could perform the fetch securely. Looks like more of a seccomp mis-design/mis-implementation than some fundamental problem. Mis-designed security features should not hinder system call design. Thanks, Ingo