lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8B2624AC-E739-4BBE-8725-010C2344F61C@kernel.org>
Date: Sat, 18 Jan 2025 18:24:58 -0800
From: Kees Cook <kees@...nel.org>
To: Eyal Birger <eyal.birger@...il.com>
CC: luto@...capital.net, wad@...omium.org, oleg@...hat.com, ldv@...ace.io,
 mhiramat@...nel.org, andrii@...nel.org, jolsa@...nel.org,
 alexei.starovoitov@...il.com, olsajiri@...il.com, cyphar@...har.com,
 songliubraving@...com, yhs@...com, john.fastabend@...il.com,
 peterz@...radead.org, tglx@...utronix.de, bp@...en8.de, daniel@...earbox.net,
 ast@...nel.org, andrii.nakryiko@...il.com, rostedt@...dmis.org, rafi@....io,
 shmulik.ladkani@...il.com, bpf@...r.kernel.org, linux-api@...r.kernel.org,
 linux-trace-kernel@...r.kernel.org, x86@...nel.org,
 linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] seccomp: passthrough uretprobe systemcall without filtering



On January 18, 2025 12:45:47 PM PST, Eyal Birger <eyal.birger@...il.com> wrote:
>I think the difference is that this syscall is not part of the process's
>code - it is inserted there by another process tracing it.

Well that's nothing like syscall_restart, and now I'm convinced seccomp must never ignore uretprobe -- a process might want to block uretprobe!

So, no, sorry, this needs to be handled by the seccomp policy that is applied to the process.

>So this is different than desiring to deploy a new version of a binary
>that uses a new libc or a new syscall.

Uh, no, the case I used as an example was no changes to anything except the kernel. Libc noticed the available syscall, uses it, and is instantly killed by the Docker seccomp policy which didn't know about that syscall.

> Here the case is that there are
>three players - the tracer running out of docker, the tracee running in docker,
>and docker itself. All three were running fine in a specific kernel version,
>but upgrading the kernel now crashes the traced process.

If uretprobe used to work without a syscall, then that seems to be the problem. But I think easiest is just fixing the Docker policy. (Which is a text file configuration change; no new binaries, no rebuilds!).

>I think this syscall is different in that respect for the reasons described.

I don't agree, sorry. Seccomp has a really singular and specific purpose, which is explicitly *externalizing* policy. I do not want to have policy within seccomp itself.

>I don't know if seccomp is behaving correctly when it blocks a kernel
>implementation detail that isn't user created.

But it is user created? Something added a uretprobe to a process who's seccomp policy is not expecting it. This seems precisely by design.

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ