19656 – nscd: add support for Linux seccomp

Bug 19656 - nscd: add support for Linux seccomp

Summary: nscd: add support for Linux seccomp

Status:	NEW

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	nscd (show other bugs)
Version:	2.23

Importance:	P2 enhancement
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-18 06:12 UTC by Mike Frysinger
Modified:	2016-02-18 14:42 UTC (History)
CC List:	3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Frysinger 2016-02-18 06:12:21 UTC

for system hardening, nscd should automatically create install a seccomp filter on itself, and for its children.  see the libseccomp project for more details:
https://github.com/seccomp/libseccomp

the kernel allows for this to be turned off, so we need to test for it at runtime.

Comment 1 Florian Weimer 2016-02-18 14:42:44 UTC

We need to consider that NSS service modules can do basically anything, so a high-quality implementation is difficult.  An initial implementation could be restricted the the files and dns modules.