lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACaBj2b1nQMeyQmKNFDB0Z=xkoZmHnFc91ssBX-9UKYwY8r3Gw@mail.gmail.com>
Date:   Fri, 19 Mar 2021 11:06:13 +0100
From:   Rodrigo Campos <rodrigo@...volk.io>
To:     Sargun Dhillon <sargun@...gun.me>
Cc:     Christian Brauner <christian.brauner@...ntu.com>,
        Giuseppe Scrivano <gscrivan@...hat.com>,
        Kees Cook <keescook@...omium.org>,
        Keerti Lakshminarayan <keerti@...flix.com>,
        Linux Containers List <containers@...ts.linux-foundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Hariharan Ananthakrishnan <hari@...flix.com>,
        Kyle Anderson <kylea@...flix.com>,
        Andy Lutomirski <luto@...capital.net>
Subject: Re: seccomp: Delay filter activation

On Thu, Mar 18, 2021 at 9:39 PM Sargun Dhillon <sargun@...gun.me> wrote:
> I believe that the OCI spec[2] is going to run into this class of problem unless
> we introduce an out of band signaling mechanism. I think a valid way to handle
> this is do a send() of the fd number (literal), and wait for the other side to
> pidfd_getfd the seccomp filter, and wait for the socket to be closed to continue,
> but I think we should maybe create an example (I volunteer) showing how to do this.

Well, we created a runc implementation for that OCI spec change and we
hit exactly that[1].

runc has a pipe mechanism to communicate already, so we use that. What
we do is: do the seccomp syscall, send the plain fd number over the
pipe and the parent gets the fd with pidfd_getfd()[2]. We use the pipe
to sync, so no issues with that part.

But, of course, if the seccomp filter blocks the syscall to send over
the pipe, this fails.

Christian, can you please elaborate on how you solve this on lxd? I'm
curious to understand if we can use the same in runc or not.


[1]: https://github.com/opencontainers/runc/pull/2682
[2]: https://github.com/opencontainers/runc/pull/2682/files#diff-f0214a0f16408fc7f168c6fc9837d189590025cc1813ebf7c1d751136936dfbfR172
-- 
Rodrigo Campos
---
Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364
Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ