On 01/12, Steven Rostedt wrote: > > On Thu, 2012-01-12 at 17:14 +0100, Oleg Nesterov wrote: > > > May be this needs something like LSM_UNSAFE_SECCOMP, or perhaps > > cap_bprm_set_creds() should take seccomp.mode == 2 into account, I dunno. > > > > OTOH, currently seccomp.mode == 1 doesn't allow to exec at all. > > I've never used seccomp, so I admit I'm totally ignorant on this topic. me too ;) > But looking at seccomp from the outside, the biggest advantage to this > would be the ability for normal processes to be able to limit tasks it > kicks off. If I want to run a task in a sandbox, I don't want to be root > to do so. > > I guess a web browser doesn't perform an exec to run java programs. But > it would be nice if I could execute something from the command line that > I could run in a sand box. > > What's the problem with making sure that the setuid isn't set before > doing an execv? Only fail when setuid (or some other magic) is enabled > on the file being exec'd. I agree. That is why I mentioned LSM_UNSAFE_SECCOMP/cap_bprm_set_creds. Just I do not know what would be the most simple/clean way to do this. And in any case I agree that the current seccomp_check_exec() looks strange. Btw, it does { if (current->seccomp.mode != 2) return 0; /* We can rely on the task refcount for the filter. */ if (!current->seccomp.filter) return -EPERM; How it is possible to have seccomp.filter == NULL with mode == 2? Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html