Subject: kern/19957: systrace makes bad assumptions that break down in LWP universe
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 01/20/2003 10:19:24
>Synopsis: systrace makes bad assumptions that break down in LWP universe
>Arrival-Date: Mon Jan 20 10:20:00 PST 2003
>Originator: Jason R Thorpe
>Release: NetBSD 1.6M
Wasabi Systems, Inc.
The systrace framework makes some bad assumptions about processes
that no longer hold true in the LWP/SA universe. In particular,
it implicitly assumes the kernel has only one scheduling entity
for the entire process (which was the case before the nathanw_sa
branch was merged).
An attack could theoretically make use of the syscall argument
rewriting method to undo syscall argument filtering.
Of greater concern, however, is the "privelege elevation" code,
which could cause another LWP in the same process to run with
higher priveleges unintentionally while the intended LWP also
has the elevated priveleges.
One possible fix to the privelege elevation issue is to allow an
LWP to reference an LWP-private creds structure while using PE.
Another fix might be to suspend execution of all other LWPs while
one is using PE. This could have significant performance penalties,