| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Sep 2015 13:01:23 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Tycho Andersen <tycho.andersen@...onical.com>
Cc: Kees Cook <keescook@...omium.org>,
Pavel Emelyanov <xemul@...allels.com>,
Network Development <netdev@...r.kernel.org>,
Alexei Starovoitov <ast@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Oleg Nesterov <oleg@...hat.com>,
"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
Linux API <linux-api@...r.kernel.org>,
Will Drewry <wad@...omium.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Daniel Borkmann <daniel@...earbox.net>
Subject: Re: v2 of seccomp filter c/r patches
On Tue, Sep 15, 2015 at 11:26 AM, Tycho Andersen
<tycho.andersen@...onical.com> wrote:
> Hi Andy,
>
> On Tue, Sep 15, 2015 at 11:13:51AM -0700, Andy Lutomirski wrote:
>> On Tue, Sep 15, 2015 at 9:07 AM, Tycho Andersen
>> <tycho.andersen@...onical.com> wrote:
>> > Hi Andy,
>> >
>> > On Mon, Sep 14, 2015 at 10:52:46AM -0700, Andy Lutomirski wrote:
>> >>
>> >> I'm not sure I entirely like this solution...
>> >
>> > Ok. Since we also aren't going to do all the eBPF stuff now, how about
>> > something that looks like this:
>> >
>> > struct seccomp_layer {
>> > unsigned int size;
>> > unsigned int type; /* SECCOMP_BPF_CLASSIC or SECCOMP_EBPF or ... */
>> > bool inherited;
>> > union {
>> > unsigned int insn_cnt;
>> > struct bpf_insn *insns;
>> > };
>> > };
>> >
>> > with a ptrace command:
>> >
>> > ptrace(PTRACE_SECCOMP_DUMP_LAYER, pid, i, &layer);
>> >
>> > If we save a pointer to the current seccomp filter on fork (if there
>> > is one), then I think the inherited flag is just,
>> >
>> > inherited = is_ancestor(child->seccomp.filter, child->seccomp.inherited_filter)
>> >
>>
>> I'm lost. What is the inherited flag for?
>
> We need some way to expose the seccomp hierarchy, specifically which
> filters are inherited, so that we can correctly restore the filter
> tree for tasks that may use TSYNC in the future. You've mentioned that
> you don't like kcmp, so this is an alternative to that.
>
My only objection to kcmp is that IMO it's a suboptimal interface and
could be better. I have no problem with the general principle of
asking to compare two objects.
The thing I really don't have a good handle on is whether the seccomp
filter hierarchy should look more like A:
struct seccomp_filter {
...;
struct seccomp_filter *prev;
};
with the seccomp_filter being the user-visible object
Or B:
struct seccomp_layer {
...; /* BPF program, etc. */
}
struct seccomp_filter {
struct seccomp_layer *layer;
struct seccomp_filter *prev;
}; /* or equivalent */
with seccomp_layer being the user-visible object.
A is simpler to implement in a memory-efficient way, but it's less
flexible. I haven't come up with a compelling use case for B where A
doesn't work, with the caveat that, if an fd points to a
seccomp_filter in model A, you can't attach it unless your current
state matches its "prev" state (or an ancestor thereof), which might
be a little bit awkward.
Am I making more sense now?
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists