| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Apr 2011 13:51:30 -0500 From: "Serge E. Hallyn" <serge@...lyn.com> To: Will Drewry <wad@...omium.org> Cc: Steven Rostedt <rostedt@...dmis.org>, linux-kernel@...r.kernel.org, kees.cook@...onical.com, eparis@...hat.com, agl@...omium.org, mingo@...e.hu, jmorris@...ei.org, Frederic Weisbecker <fweisbec@...il.com>, Ingo Molnar <mingo@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Tejun Heo <tj@...nel.org>, Michal Marek <mmarek@...e.cz>, Oleg Nesterov <oleg@...hat.com>, Roland McGrath <roland@...hat.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Jiri Slaby <jslaby@...e.cz>, David Howells <dhowells@...hat.com> Subject: Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering Quoting Will Drewry (wad@...omium.org): > On Thu, Apr 28, 2011 at 12:39 PM, Serge E. Hallyn <serge@...lyn.com> wrote: > > Quoting Steven Rostedt (rostedt@...dmis.org): > >> On Thu, 2011-04-28 at 11:55 -0500, Serge E. Hallyn wrote: > >> > I actually thought you were going to be more extreme about the seccomp > >> > state than you are: I thought you were going to tie a filter list to > >> > seccomp state. So adding or removing a filter would have required > >> > duping the seccomp state, duping all the filters, making the change in > >> > the copy, and then swapping the new state into place. Slow in the > >> > hopefully rare update case, but safe. > > Hrm, I think I'm confused now! This is exactly what I *thought* the > code was doing. > > At present, seccomp_state can be shared across predecessor/ancestor > relationships using refcounting in fork.c (get/put). However, the > only way to change a given seccomp_state or its filters is either > through the one-bit on_next_syscall change or through > prctl_set_seccomp. In prctl_set_seccomp, it does: > state = (orig_state ? seccomp_state_dup(orig_state) : > seccomp_state_new()); > operates on the new state and then rcu_assign_pointer()s it to the > task. I didn't intentionally provide any way to drop filters from an > existing state object nor change the filtered syscalls on an in-use > object. That _dup call should hit the impromperly rcu_locked > copy_all_filters returning duplicates of the original filters by > reparsing the filter_string. > > Did I accidentally provide a means to mutate a state object or filter > list without dup()ing? :/ Ah - probably not, I probably misread your intent for the helpers. So in that case you don't need to rcu-protect the filters at all when copying. You just need to inc the seccomp struct refcount under rcu lock, to make sure it all stays put. Drop rcu lock, take your time copying, then when you dec the refcount the whole seccomp struct either gets freed or not. Excellent. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists