On 01/12, Steven Rostedt wrote: > > On Wed, 2012-01-11 at 11:25 -0600, Will Drewry wrote: > > > Filter programs may _only_ cross the execve(2) barrier if last filter > > program was attached by a task with CAP_SYS_ADMIN capabilities in its > > user namespace. Once a task-local filter program is attached from a > > process without privileges, execve will fail. This ensures that only > > privileged parent task can affect its privileged children (e.g., setuid > > binary). > > This means that a non privileged user can not run another program with > limited features? How would a process exec another program and filter > it? I would assume that the filter would need to be attached first and > then the execv() would be performed. But after the filter is attached, > the execv is prevented? > > Maybe I don't understand this correctly. May be this needs something like LSM_UNSAFE_SECCOMP, or perhaps cap_bprm_set_creds() should take seccomp.mode == 2 into account, I dunno. OTOH, currently seccomp.mode == 1 doesn't allow to exec at all. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html