| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 04 May 2011 14:46:25 -0400 From: Steven Rostedt <rostedt@...dmis.org> To: Frederic Weisbecker <fweisbec@...il.com> Cc: Will Drewry <wad@...omium.org>, Eric Paris <eparis@...hat.com>, Ingo Molnar <mingo@...e.hu>, linux-kernel@...r.kernel.org, kees.cook@...onical.com, agl@...omium.org, jmorris@...ei.org, Randy Dunlap <rdunlap@...otime.net>, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, Tom Zanussi <tzanussi@...il.com>, Arnaldo Carvalho de Melo <acme@...hat.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works. On Wed, 2011-05-04 at 20:30 +0200, Frederic Weisbecker wrote: > On Wed, May 04, 2011 at 02:23:02PM -0400, Steven Rostedt wrote: > > On Wed, 2011-05-04 at 19:52 +0200, Frederic Weisbecker wrote: > > > > > > It's certainly doable, but it will > > > > mean that we may be logically storing something like: > > > > > > > > __NR_foo: (a == 1 || a == 2), applied > > > > __NR_foo: b == 2, not applied > > > > __NR_foo: c == 3, not applied > > > > > > > > after > > > > > > > > SECCOMP_FILTER_SET, __NR_foo, "a == 1 || a == 2" > > > > SECCOMP_FILTER_APPLY > > > > SECCOMP_FILTER_SET, __NR_foo, "b == 2" > > > > SECCOMP_FILTER_SET, __NR_foo, "c == 3" > > > > > > No, the c == 3 would override b == 2. > > > > I honestly hate the "override" mode. I like that SETs are or'd among > > each other and an APPLY is a "commit"; meaning that you can only limit > > it further, but can not extend it (an explicit &&) > > I'm confused with what you just said... > > Somehow I could understand it that way: > > SECCOMP_FILTER_SET, __NR_foo, "a == 1" > SECCOMP_FILTER_SET, __NR_foo, "a == 2" > SECCOMP_FILTER_APPLY > SECCOMP_FILTER_SET, __NR_foo, "b == 1" > > Would produce: > > "(a == 1 || a == 2) && b == 1" No, it would produce: (a == 1 || a == 2) The b == 1 will not be added until the next apply. > > That makes a pretty confusing behaviour for users I think. Not really, if it is documented well. Or we can call it: SECCOMP_FILTER_SET_OR and SECCOMP_FILTER_APPLY_AND to remove the ambiguity. The reason is actually quite simple. Before you do an apply, you can modify it to whatever you want. But once you do an apply, you just limited yourself. An apply can not be reversed. > > > > > > > > > > In that case, would a call to sys_foo even be tested against the > > > > non-applied constraints of b==2 or c==3? > > > > > > No, not as long as it's not applied. > > > > > > > Or would the call to set "c > > > > == 3" replace the "b == 2" entry. I'm not sure I see that the benefit > > > > exceeds the ambiguity that might introduce. > > > > > > The rationale behind it is that as long as you haven't applied your filter, > > > you should be able to override it. > > > > We need a "UNSET" (I like that better than DROP). > > What about a complete erase (RESET) of the temporary filter? Like I explained below > from my previous mail. What is a temporary filter? And a RESET could be there too to just remove all sets that are pending. I was thinking that we add "SETS" which the kernel can verify are correct and let the user know at the time of the command if it is valid. But these sets are not actually implemented until an APPLY is hit. -- Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists