| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Jun 2016 19:01:45 -0700 From: Kees Cook <keescook@...omium.org> To: Andy Lutomirski <luto@...capital.net> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>, Andy Lutomirski <luto@...nel.org>, Benjamin Herrenschmidt <benh@...nel.crashing.org>, Catalin Marinas <catalin.marinas@....com>, Chris Metcalf <cmetcalf@...lanox.com>, Heiko Carstens <heiko.carstens@...ibm.com>, Helge Deller <deller@....de>, "James E.J. Bottomley" <jejb@...isc-linux.org>, James Hogan <james.hogan@...tec.com>, Jeff Dike <jdike@...toit.com>, linux-arch <linux-arch@...r.kernel.org>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, Linux MIPS Mailing List <linux-mips@...ux-mips.org>, linux-parisc <linux-parisc@...r.kernel.org>, "linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>, "linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, "Maciej W. Rozycki" <macro@...tec.com>, Mark Rutland <mark.rutland@....com>, Martin Schwidefsky <schwidefsky@...ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Paul Mackerras <paulus@...ba.org>, Ralf Baechle <ralf@...ux-mips.org>, Richard Weinberger <richard@....at>, Russell King <linux@...linux.org.uk>, "user-mode-linux-devel@...ts.sourceforge.net" <user-mode-linux-devel@...ts.sourceforge.net>, Will Deacon <will.deacon@....com> Subject: Re: [PATCH 06/14] x86/ptrace: run seccomp after ptrace On Thu, Jun 9, 2016 at 3:52 PM, Andy Lutomirski <luto@...capital.net> wrote: > On Thu, Jun 9, 2016 at 2:01 PM, Kees Cook <keescook@...omium.org> wrote: >> This moves seccomp after ptrace on x86 to that seccomp can catch changes >> made by ptrace. Emulation should skip the rest of processing too. >> >> We can get rid of test_thread_flag because there's no longer any >> opportunity for seccomp to mess with ptrace state before invoking >> ptrace. >> >> Suggested-by: Andy Lutomirski <luto@...nel.org> >> Signed-off-by: Kees Cook <keescook@...omium.org> >> Cc: x86@...nel.org >> Cc: Andy Lutomirski <luto@...nel.org> >> --- >> arch/x86/entry/common.c | 22 ++++++++++++---------- >> 1 file changed, 12 insertions(+), 10 deletions(-) >> >> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c >> index df56ca394877..81c0e12d831c 100644 >> --- a/arch/x86/entry/common.c >> +++ b/arch/x86/entry/common.c >> @@ -73,6 +73,7 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> struct thread_info *ti = pt_regs_to_thread_info(regs); >> unsigned long ret = 0; >> + bool emulated = false; >> u32 work; >> >> if (IS_ENABLED(CONFIG_DEBUG_ENTRY)) >> @@ -80,11 +81,19 @@ static long syscall_trace_enter(struct pt_regs *regs) >> >> work = ACCESS_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY; >> >> + if (unlikely(work & _TIF_SYSCALL_EMU)) >> + emulated = true; >> + >> + if ((emulated || (work & _TIF_SYSCALL_TRACE)) && >> + tracehook_report_syscall_entry(regs)) >> + return -1L; >> + >> + if (emulated) >> + return -1L; >> + > > I think that this code will result in ptrace-induced skips calling the > audit exit hook but not the audit entry hook. I don't know whether > this is a problem. It's also worth making sure that ptracing a > seccomp-skipped syscall calls the exit hook with the right regs. > > I suspect it's fine, but I want to think about it a little bit more. I don't think this is true, since all architectures already needed to handle an immediate return from seccomp, so audit shouldn't be touched on the exit path either. -Kees -- Kees Cook Chrome OS & Brillo Security
Powered by blists - more mailing lists