* Eric W. Biederman ebiederm@xmission.com wrote:
Ingo Molnar mingo@kernel.org writes:
- Eric W. Biederman ebiederm@xmission.com wrote:
The trouble with attributes is that means you can't filter your system call arguments with seccomp. [...]
There's nothing keeping seccomp from securely fetching those arguments and extending filtering to them as well ...
Allowing that would make sense for a lot of other system calls as well.
Possibly. The challenge is that if the fetch for the kernel to use those arguments is different from the fetch of seccomp to test those arguments you have a time of test vs time of use race.
Those fetched values should obviously then be used to call permitted system calls.
Given the location of the seccomp hook at the kernel user space border there is no easy way for seccomp to share the fetch with the system call itself.
So I don't see how seccomp could perform the fetch securely.
Looks like more of a seccomp mis-design/mis-implementation than some fundamental problem.
Mis-designed security features should not hinder system call design.
Thanks,
Ingo