| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Nov 2013 19:22:42 -0800 From: Andy Lutomirski <luto@...capital.net> To: Russell King - ARM Linux <linux@....linux.org.uk> Cc: Kees Cook <keescook@...omium.org>, Paul Moore <paul@...l-moore.com>, Richard Weinberger <richard@....at>, libseccomp-discuss@...ts.sourceforge.net, Will Drewry <wad@...omium.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org> Subject: Re: ARM audit, seccomp, etc are broken wrt OABI syscalls On Tue, Nov 5, 2013 at 4:40 PM, Russell King - ARM Linux <linux@....linux.org.uk> wrote: > On Tue, Nov 05, 2013 at 04:14:49PM -0800, Kees Cook wrote: >> I would agree: option 1 seems cleanest of the 3. 3 is sort of like a >> built-in automatic check for a mismatched arch, so maybe that works >> better? >> >> Alternatively, CONFIG_SECCOMP_FILTER could depend on >> !CONFIG_OABI_COMPAT. That seems like the least work, given the desire >> to kill OABI in the real world. (Though I would note that at least >> Ubuntu's ARM kernels build with CONFIG_OABI_COMPAT; Chrome OS does >> not.) > > OABI compat is really only something you want to deal with if you have > a reason to run OABI programs on the kernel; it is in no way guaranteed > that the OABI programs will run properly (many ALSA programs will not > because of different layouts with ioctls). > > OABI compat was meant to allow a transition from OABI to EABI. While > a lot of effort went in to the kernel side of that, which does allow > OABI based userspace to boot with an EABI kernel, and allows OABI built > test programs to run under an EABI kernel, actually being able to > migrate userland is far from trivial - and something that I've never > been able to do. Hence, virtually all my long-running ARM machines > here are stuck with OABI, and I don't see that situation ever changing. > > As a rule, distros should not be enabling OABI compat. OABI compat > is more something that a developer (like me) who has a reason to enable > it turns it on. So I guess that audit, ptrace, etc. work on OABI because the userspace tools expect the OABI syscall conventions and they work on EABI for the same reason, everything is subtly broken on OABI compat. Adding a new AUDIT_ARCH_ARMOABI is probably bad, then, unless it only applies to OABI compat kernels. Similarly, bumping the syscall numbers is probably also bad. (Arguably the audit arch should have been AUDIT_ARCH_ARMEABI from the beginning -- too late now.) Maybe the thing to do is to put a warning in the config text for CONFIG_OABI_COMPAT that describes the problems (malicious userspace can confuse syscall auditors, strace, etc.), change the "if in doubt" part to N, and disable seccomp filters if CONFIG_OABI_COMPAT. That might even get Debian to change their default. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists