subject:"\[PATCH v2 051\/109\] virtiofsd\: add seccomp whitelist"

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-24 Thread Florian Weimer

* David Alan Gilbert: > * Florian Weimer (fwei...@redhat.com) wrote: >> * David Alan Gilbert: >> >> > +static const int syscall_whitelist[] = { >> > +/* TODO ireg sem*() syscalls */ >> > +SCMP_SYS(brk), >> > +SCMP_SYS(capget), /* For CAP_FSETID */ >> > +SCMP_SYS(capset), >> > +

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-24 Thread Dr. David Alan Gilbert

* Florian Weimer (fwei...@redhat.com) wrote: > * David Alan Gilbert: > > > +static const int syscall_whitelist[] = { > > +/* TODO ireg sem*() syscalls */ > > +SCMP_SYS(brk), > > +SCMP_SYS(capget), /* For CAP_FSETID */ > > +SCMP_SYS(capset), > > +SCMP_SYS(clock_gettime), > > >

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-24 Thread Dr. David Alan Gilbert

* Florian Weimer (fwei...@redhat.com) wrote: > * David Alan Gilbert: > > > +static const int syscall_whitelist[] = { > > +/* TODO ireg sem*() syscalls */ > > +SCMP_SYS(brk), > > +SCMP_SYS(capget), /* For CAP_FSETID */ > > +SCMP_SYS(capset), > > +SCMP_SYS(clock_gettime), > > >

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-24 Thread Florian Weimer

* David Alan Gilbert: > +static const int syscall_whitelist[] = { > +/* TODO ireg sem*() syscalls */ > +SCMP_SYS(brk), > +SCMP_SYS(capget), /* For CAP_FSETID */ > +SCMP_SYS(capset), > +SCMP_SYS(clock_gettime), > +SCMP_SYS(gettimeofday), Is this to suppose to work on

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-21 Thread Philippe Mathieu-Daudé

On 1/21/20 8:49 PM, Dr. David Alan Gilbert wrote: * Philippe Mathieu-Daudé (phi...@redhat.com) wrote: On 1/21/20 1:23 PM, Dr. David Alan Gilbert (git) wrote: From: Stefan Hajnoczi Only allow system calls that are needed by virtiofsd. All other system calls cause SIGSYS to be directed at the

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-21 Thread Dr. David Alan Gilbert

* Philippe Mathieu-Daudé (phi...@redhat.com) wrote: > On 1/21/20 1:23 PM, Dr. David Alan Gilbert (git) wrote: > > From: Stefan Hajnoczi > > > > Only allow system calls that are needed by virtiofsd. All other system > > calls cause SIGSYS to be directed at the thread and the process will > >

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-21 Thread Philippe Mathieu-Daudé

On 1/21/20 1:23 PM, Dr. David Alan Gilbert (git) wrote: From: Stefan Hajnoczi Only allow system calls that are needed by virtiofsd. All other system calls cause SIGSYS to be directed at the thread and the process will coredump. Restricting system calls reduces the kernel attack surface and

[PATCH v2 051/109] virtiofsd: add seccomp whitelist

2020-01-21 Thread Dr. David Alan Gilbert (git)

From: Stefan Hajnoczi Only allow system calls that are needed by virtiofsd. All other system calls cause SIGSYS to be directed at the thread and the process will coredump. Restricting system calls reduces the kernel attack surface and limits what the process can do when compromised.

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

[PATCH v2 051/109] virtiofsd: add seccomp whitelist

8 matches

Site Navigation

Mail list logo

Footer information