| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202310031055.3F19F87@keescook>
Date: Tue, 3 Oct 2023 11:01:52 -0700
From: Kees Cook <keescook@...omium.org>
To: Hengqi Chen <hengqi.chen@...il.com>
Cc: linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
luto@...capital.net, wad@...omium.org, alexyonghe@...cent.com
Subject: Re: [RFC PATCH 0/2] seccomp: Split set filter into two steps
On Tue, Oct 03, 2023 at 08:38:34AM +0000, Hengqi Chen wrote:
> This patchset introduces two new operations which essentially
> splits the SECCOMP_SET_MODE_FILTER process into two steps:
> SECCOMP_LOAD_FILTER and SECCOMP_ATTACH_FILTER.
>
> The SECCOMP_LOAD_FILTER loads the filter and returns a fd
> which can be pinned to bpffs. This extends the lifetime of the
> filter and thus can be reused by different processes.
> With this new operation, we can eliminate a hot path of JITing
> BPF program (the filter) where we apply the same seccomp filter
> to thousands of micro VMs on a bare metal instance.
>
> The SECCOMP_ATTACH_FILTER is used to attach a loaded filter.
> The filter is represented by a fd which is either returned
> from SECCOMP_LOAD_FILTER or obtained from bpffs using bpf syscall.
Interesting! I like this idea, thanks for writing it up.
Two design notes:
- Can you reuse/refactor seccomp_prepare_filter() instead of duplicating
the logic into two new functions?
- Is there a way to make sure the BPF program coming from the fd is one
that was built via SECCOMP_LOAD_FILTER? (I want to make sure we can
never confuse a non-seccomp program into getting loaded into seccomp.)
-Kees
--
Kees Cook
Powered by blists - more mailing lists