lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 05 Feb 2021 10:02:20 +0100
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Gabriel Krisman Bertazi <krisman@...labora.com>
Cc:     linux-kernel@...r.kernel.org,
        Gabriel Krisman Bertazi <krisman@...labora.com>,
        kernel@...labora.com, Linux API <linux-api@...r.kernel.org>,
        Michael Kerrisk <mtk.manpages@...il.com>
Subject: Re: [PATCH RESEND] entry: Use different define for selector variable in SUD

Gabriel,

On Thu, Feb 04 2021 at 13:40, Gabriel Krisman Bertazi wrote:
> Michael Kerrisk suggested that, from an API perspective, it is a bad
> idea to share the PR_SYS_DISPATCH_ defines between the prctl operation
> and the selector variable.  Therefore, define two new constants to be
> used by SUD's selector variable, and the corresponding documentation.
>
> While this changes the API, it is backward compatible, as the values
> remained the same and the old defines are still in place.  In addition,
> SUD has never been part of a Linux release, it will show up for the
> first time in 5.11.

> --- a/include/uapi/linux/prctl.h
> +++ b/include/uapi/linux/prctl.h
> @@ -251,5 +251,7 @@ struct prctl_mm_map {
>  #define PR_SET_SYSCALL_USER_DISPATCH	59
>  # define PR_SYS_DISPATCH_OFF		0
>  # define PR_SYS_DISPATCH_ON		1
> +# define PR_SYS_DISPATCH_FILTER_ALLOW	0
> +# define PR_SYS_DISPATCH_FILTER_BLOCK	1

This is still confusing because the defines are kinda associated to the
prctl(). But ALLOW/BLOCK are the values which for the user space
selector which allows to runtime filter the dispatching without the
overhead of prctl().

So they want to be visualy seperated and not part of the PR_
namespace. Something like the below.

#define PR_SET_SYSCALL_USER_DISPATCH	59
# define PR_SYS_DISPATCH_OFF		0
# define PR_SYS_DISPATCH_ON		1

/* Control values for the syscall dispatch runtime selector (filter) */
# define SYSCALL_DISPATCH_FILTER_ALLOW	0
# define SYSCALL_DISPATCH_FILTER_BLOCK	1

Hmm?

Thanks,

        tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ