lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <34b2e80343549454d6c026237f248c86.squirrel@webmail.greenhost.nl>
Date:	Wed, 14 Mar 2012 08:31:07 +0100
From:	"Indan Zupancic" <indan@....nu>
To:	"Will Drewry" <wad@...omium.org>
Cc:	linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
	linux-doc@...r.kernel.org, kernel-hardening@...ts.openwall.com,
	netdev@...r.kernel.org, x86@...nel.org, arnd@...db.de,
	davem@...emloft.net, hpa@...or.com, mingo@...hat.com,
	oleg@...hat.com, peterz@...radead.org, rdunlap@...otime.net,
	mcgrathr@...omium.org, tglx@...utronix.de, luto@....edu,
	eparis@...hat.com, serge.hallyn@...onical.com, djm@...drot.org,
	scarybeasts@...il.com, pmoore@...hat.com,
	akpm@...ux-foundation.org, corbet@....net, eric.dumazet@...il.com,
	markus@...omium.org, coreyb@...ux.vnet.ibm.com,
	keescook@...omium.org, "Will Drewry" <wad@...omium.org>
Subject: Re: [PATCH v14 10/13] ptrace,seccomp: Add PTRACE_SECCOMP support

Hello,

On Mon, March 12, 2012 22:28, Will Drewry wrote:
> This change adds support for a new ptrace option, PTRACE_O_TRACESECCOMP,
> and a new return value for seccomp BPF programs, SECCOMP_RET_TRACE.
>
> When a tracer specifies the PTRACE_O_TRACESECCOMP ptrace option, the
> tracer will be notified for any syscall that results in a BPF program
> returning SECCOMP_RET_TRACE.  The 16-bit SECCOMP_RET_DATA mask of the
> BPF program return value will be passed as the ptrace_message and may be
> retrieved using PTRACE_GETEVENTMSG.

Maybe good to tell it gets notified with PTRACE_EVENT_SECCOMP.

>
> If the subordinate process is not using seccomp filter, then no
> system call notifications will occur even if the option is specified.
>
> If there is no attached tracer when SECCOMP_RET_TRACE is returned,
> the system call will not be executed and an -ENOSYS errno will be
> returned to userspace.

When no tracer with PTRACE_O_TRACESECCOMP set is attached?
(Because that's what the code is doing.)

>
> This change adds a dependency on the system call slow path.  Any future
> efforts to use the system call fast path for seccomp filter will need to
> address this restriction.
>
> v14: - rebase/nochanges
> v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
>       (Brings back a change to ptrace.c and the masks.)
> v12: - rebase to linux-next
>     - use ptrace_event and update arch/Kconfig to mention slow-path dependency
>     - drop all tracehook changes and inclusion (oleg@...hat.com)
> v11: - invert the logic to just make it a PTRACE_SYSCALL accelerator
>       (indan@....nu)
> v10: - moved to PTRACE_O_SECCOMP / PT_TRACE_SECCOMP
> v9:  - n/a
> v8:  - guarded PTRACE_SECCOMP use with an ifdef
> v7:  - introduced
>
> Signed-off-by: Will Drewry <wad@...omium.org>
> ---
> arch/Kconfig            |   11 ++++++-----
> include/linux/ptrace.h  |    7 +++++--
> include/linux/seccomp.h |    1 +
> kernel/ptrace.c         |    3 +++
> kernel/seccomp.c        |   20 +++++++++++++++-----
> 5 files changed, 30 insertions(+), 12 deletions(-)
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index d92a78e..3f8132c 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -202,15 +202,16 @@ config HAVE_CMPXCHG_DOUBLE
> config HAVE_ARCH_SECCOMP_FILTER
> 	bool
> 	help
> -	  This symbol should be selected by an architecure if it provides:
> -	  asm/syscall.h:
> +	  An arch should select this symbol if it provides all of these things:
> 	  - syscall_get_arch()
> 	  - syscall_get_arguments()
> 	  - syscall_rollback()
> 	  - syscall_set_return_value()
> -	  SIGSYS siginfo_t support must be implemented.
> -	  __secure_computing_int()/secure_computing()'s return value must be
> -	  checked, with -1 resulting in the syscall being skipped.
> +	  - SIGSYS siginfo_t support
> +	  - uses __secure_computing_int() or secure_computing()
> +	  - secure_computing is called from a ptrace_event()-safe context
> +	  - secure_computing return value is checked and a return value of -1
> +	    results in the system call being skipped immediately.
>
> config SECCOMP_FILTER
> 	def_bool y
> diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
> index c2f1f6a..84b3418 100644
> --- a/include/linux/ptrace.h
> +++ b/include/linux/ptrace.h
> @@ -62,8 +62,9 @@
> #define PTRACE_O_TRACEEXEC	0x00000010
> #define PTRACE_O_TRACEVFORKDONE	0x00000020
> #define PTRACE_O_TRACEEXIT	0x00000040
> +#define PTRACE_O_TRACESECCOMP	0x00000080
>
> -#define PTRACE_O_MASK		0x0000007f
> +#define PTRACE_O_MASK		0x000000ff
>
> /* Wait extended result codes for the above trace options.  */
> #define PTRACE_EVENT_FORK	1
> @@ -73,6 +74,7 @@
> #define PTRACE_EVENT_VFORK_DONE	5
> #define PTRACE_EVENT_EXIT	6
> #define PTRACE_EVENT_STOP	7
> +#define PTRACE_EVENT_SECCOMP	8

I think PTRACE_EVENT_STOP is supposed to be hidden, it's never directly
seen by user space. Instead of doing the obvious thing, they went the
crazy PTRACE_INTERRUPT + PTRACE_LISTEN way.

So it's better to add PTRACE_EVENT_SECCOMP as 8 and bump STOP one up.
But if PTRACE_EVENT_STOP is really hidden then it shouldn't show up in
the user space header at all, it should be after the ifdef KERNEL.

>
> #include <asm/ptrace.h>
>
> @@ -101,8 +103,9 @@
> #define PT_TRACE_EXEC		PT_EVENT_FLAG(PTRACE_EVENT_EXEC)
> #define PT_TRACE_VFORK_DONE	PT_EVENT_FLAG(PTRACE_EVENT_VFORK_DONE)
> #define PT_TRACE_EXIT		PT_EVENT_FLAG(PTRACE_EVENT_EXIT)
> +#define PT_TRACE_SECCOMP	PT_EVENT_FLAG(PTRACE_EVENT_SECCOMP)
>
> -#define PT_TRACE_MASK	0x000003f4
> +#define PT_TRACE_MASK	0x00000ff4

This is wrong. Shouldn't it be 0xbf4? (0x7f4 if you bump STOP up.)

>
> /* single stepping state bits (used on ARM and PA-RISC) */
> #define PT_SINGLESTEP_BIT	31
> diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
> index e6d4b56..f4c1774 100644
> --- a/include/linux/seccomp.h
> +++ b/include/linux/seccomp.h
> @@ -21,6 +21,7 @@
> #define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */
> #define SECCOMP_RET_TRAP	0x00020000U /* disallow and force a SIGSYS */
> #define SECCOMP_RET_ERRNO	0x00030000U /* returns an errno */
> +#define SECCOMP_RET_TRACE	0x7ffe0000U /* pass to a tracer or disallow */
> #define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */

Maybe a good idea to leave more gaps between all the return codes, in
case new return codes are added in the future that fall between existing
ones? E.g:

#define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */
#define SECCOMP_RET_TRAP	0x00100000U /* disallow and force a SIGSYS */
#define SECCOMP_RET_ERRNO	0x00200000U /* returns an errno */
#define SECCOMP_RET_TRACE	0x00300000U /* pass to a tracer or disallow */
#define SECCOMP_RET_ALLOW	0x00400000U /* allow */

>
> /* Masks for the return value sections. */
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 00ab2ca..8cf6da1 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -551,6 +551,9 @@ static int ptrace_setoptions(struct task_struct *child, unsigned
long data)
> 	if (data & PTRACE_O_TRACEEXIT)
> 		child->ptrace |= PT_TRACE_EXIT;
>
> +	if (data & PTRACE_O_TRACESECCOMP)
> +		child->ptrace |= PT_TRACE_SECCOMP;
> +
> 	return (data & ~PTRACE_O_MASK) ? -EINVAL : 0;
> }
>
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 140490a..ddacc68 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -17,13 +17,13 @@
> #include <linux/audit.h>
> #include <linux/compat.h>
> #include <linux/filter.h>
> +#include <linux/ptrace.h>
> #include <linux/sched.h>
> #include <linux/seccomp.h>
> #include <linux/security.h>
> #include <linux/slab.h>
> #include <linux/uaccess.h>
>
> -#include <linux/tracehook.h>
> #include <asm/syscall.h>
>
> /* #define SECCOMP_DEBUG 1 */
> @@ -389,14 +389,24 @@ int __secure_computing_int(int this_syscall)
> 						 -(action & SECCOMP_RET_DATA),
> 						 0);
> 			return -1;
> -		case SECCOMP_RET_TRAP: {
> -			int reason_code = action & SECCOMP_RET_DATA;
> +		case SECCOMP_RET_TRAP:
> 			/* Show the handler the original registers. */
> 			syscall_rollback(current, task_pt_regs(current));
> 			/* Let the filter pass back 16 bits of data. */
> -			seccomp_send_sigsys(this_syscall, reason_code);
> +			seccomp_send_sigsys(this_syscall,
> +					    action & SECCOMP_RET_DATA);
> 			return -1;
> -		}

These are unrelated changes and probably shouldn't be here. It just makes
it harder to review the code if you change it in a later patch for no
apparent reason.

> +		case SECCOMP_RET_TRACE:
> +			/* Skip these calls if there is no tracer. */
> +			if (!ptrace_event_enabled(current,
> +						  PTRACE_EVENT_SECCOMP))

One line please, it's 81 chars.

> +				return -1;
> +			/* Allow the BPF to provide the event message */
> +			ptrace_event(PTRACE_EVENT_SECCOMP,
> +				     action & SECCOMP_RET_DATA);

Why not move "int reason_code = action & SECCOMP_RET_DATA;" to the start
of the function out of the if checks, instead of duplicating the code?

> +			if (fatal_signal_pending(current))
> +				break;
> +			return 0;
> 		case SECCOMP_RET_ALLOW:
> 			return 0;
> 		case SECCOMP_RET_KILL:

Greetings,

Indan


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ