Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110619141232.GA3444@albatros>
Date: Sun, 19 Jun 2011 18:12:32 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: HARDEN_VM86

Solar,

On Wed, Jun 15, 2011 at 18:38 +0400, Solar Designer wrote:
> BTW, a related syscall is modify_ldt(2).  You could want to research
> what programs use it, and consider restricting it as well.  Perhaps with
> a separate sysctl?

It starts to look like seccomp v2.

http://thread.gmane.org/gmane.linux.kernel/833539/focus=833864

- but with capable(CAP_SYS_RAWIO) instead of just deny and static
syscalls list.  Will Drewry is trying to push his limiting patch with
ftrace-like syntax restrictions, but (a) it is not yet applied and (b)
it is not inherited by execve's:

https://lkml.org/lkml/2011/6/12/184

If it was not limited to one task it would serve our needs :(


-- 
Vasiliy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.