| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABqD9hZ5vZwDNcD37pGRcU+=qvffzJshqSU2pYPF+weMkhY8vg@mail.gmail.com> Date: Mon, 16 Jan 2012 14:28:25 -0600 From: Will Drewry <wad@...omium.org> To: Andrew Lutomirski <luto@....edu> Cc: linux-kernel@...r.kernel.org, keescook@...omium.org, john.johansen@...onical.com, serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com, djm@...drot.org, torvalds@...ux-foundation.org, segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com, amwang@...hat.com, oleg@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, olofj@...omium.org, mhalcrow@...gle.com, dlaor@...hat.com Subject: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF On Thu, Jan 12, 2012 at 11:02 AM, Andrew Lutomirski <luto@....edu> wrote: > On Wed, Jan 11, 2012 at 9:25 AM, Will Drewry <wad@...omium.org> wrote: >> This patch adds support for seccomp mode 2. This mode enables dynamic >> enforcement of system call filtering policy in the kernel as specified >> by a userland task. The policy is expressed in terms of a BPF program, >> as is used for userland-exposed socket filtering. Instead of network >> data, the BPF program is evaluated over struct user_regs_struct at the >> time of the system call (as retrieved using regviews). >> >https://www.google.com/calendar?tab=mc&authuser=1 > There's some seccomp-related code in the vsyscall emulation path in > arch/x86/kernel/vsyscall_64.c. How should time(), getcpu(), and > gettimeofday() be handled? Nice catch: lxr.linux.no/linux+v3.2.1/arch/x86/kernel/vsyscall_64.c#L180 I'd missed it. > If you want filtering to work, there > aren't any real syscall registers to inspect, but they could be > synthesized. Hrm, I wonder if making sure orig_eax is populated with the vsyscall_nr would be enough. Unless I'm misreading, args 0 and 1 are correct, so there may be other noise, but performing a call to __secure_computing() (either in the case or with a pre-validate syscall nr: 0-2) should send the do_exit. Does that sound reasonable? I'll try to do the right thing in my next patch set. > Preventing a malicious task from figuring out approximately what time > it is is basically impossible because of the way that vvars work. I > don't know how to change that efficiently. There are other ways to guess the time too, so I don't think it's that bad. For those that are really worried, they could disable or otherwise attempt to limit vsyscall access from their sandbox. thanks! will -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists