(TOCTTOU) race condition, where user space can change the value of what The reason that seccomp cannot dereference the pointers is to avoid the time-of-check-to-time-of-use Structures that are passed to system calls via pointers-or even string values. Rejecting the system call cannot depend on, for example, values in Those programs only have access to the values of theĪrguments passed to the system call if those arguments are pointers, theyĬannot be dereferenced by seccomp, which means that accepting or System call is used to enable filtering mode or to load a cBPF filtering Language to specify which system calls and argument values to allow or disallow. Those filters use the "classic" BPF (cBPF) Such that it cannot make calls that it shouldn't. System calls can be made by it or its threads-it can be used to "sandbox" a program Seccomp filtering (or "seccomp mode 2") allows a process to filter which One of thoseįeatures, deep argument inspection, has been covered here before, but it would seem that weĪre getting closer to a resolution on how that all will work. Lengthy mid-May message on the linux-kernel mailing list. There wereįour separate areas that he was interested in, which he detailed in a Kees Cook has been doing some thinking about plans for new seccomp features to work on soon.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |