| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Oct 2015 14:29:44 -0700 From: Andy Lutomirski <luto@...capital.net> To: Kees Cook <keescook@...omium.org> Cc: Tycho Andersen <tycho.andersen@...onical.com>, Alexei Starovoitov <ast@...nel.org>, Will Drewry <wad@...omium.org>, Oleg Nesterov <oleg@...hat.com>, Pavel Emelyanov <xemul@...allels.com>, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, Daniel Borkmann <daniel@...earbox.net>, LKML <linux-kernel@...r.kernel.org>, Network Development <netdev@...r.kernel.org>, Linux API <linux-api@...r.kernel.org> Subject: Re: v5 of seccomp filter c/r patches On Fri, Oct 2, 2015 at 2:10 PM, Kees Cook <keescook@...omium.org> wrote: > On Fri, Oct 2, 2015 at 9:27 AM, Tycho Andersen > <tycho.andersen@...onical.com> wrote: >> Hi all, >> >> Here's v5 of the seccomp filter c/r set. The individual patch notes have >> changes, but two highlights are: >> >> * This series is now based on http://patchwork.ozlabs.org/patch/525492/ and >> will need to be built with that patch applied. This gets rid of two incorrect >> patches in the previous series and is a nicer API. >> >> * I couldn't figure out a nice way to have SECCOMP_GET_FILTER_FD return the >> same struct file across calls, so we still need a kcmp command. I've narrowed >> the scope of the one being added to only compare seccomp fds. >> >> Thoughts welcome, > > Hi, sorry I've been slow/busy. I'm finally reading through these threads. > > Happy bit: > - avoiding eBPF and just saving the original filters makes things much easier. > > Sad bit: > - inventing a new interface for seccompfds feels like massive overkill to me. > > While Andy has big dreams, we're not presently doing seccompfd > monitoring, etc. There's no driving user for that kind of interface, > and accepting the maintenance burden of it only for CRIU seems unwise. > > So, I'll go back to what I originally proposed at LSS (which it looks > like we're half way there now): > > - save the original filter (done!) > - extract filters through a single special-purpose interface (looks > like ptrace is the way to go: root-only, stopped process, etc) > - compare filter content and issue TSYNCs to merge detected sibling > threads, since merging things that weren't merged before creates no > problems. > > This means the parenting logic is heuristic, but it's entirely in > userspace, so the complexity burden doesn't live in seccomp which we, > by design, want to keep as simple as possible. This is okay with me with a future-proofing caveat: I think that whatever reads out the filter should be clearly documented as returning some special error code that indicates that that filter it tried to read wasn't in the expected form. That would happen for native eBPF filters, and it would also happen for seccomp monitors even if those monitors use classic BPF. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists