lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z7TKvdjvmtzfjza6@gourry-fedora-PF4VCD3F>
Date: Tue, 18 Feb 2025 13:00:29 -0500
From: Gregory Price <gourry@...rry.net>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: krisman@...labora.com, tglx@...utronix.de, luto@...nel.org,
	peterz@...radead.org, keescook@...omium.org,
	gregory.price@...verge.com, Marco Elver <elver@...gle.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] syscall_user_dispatch: Allow allowed range
 wrap-around

On Tue, Feb 18, 2025 at 06:34:34PM +0100, Dmitry Vyukov wrote:
> On Tue, 18 Feb 2025 at 17:58, Gregory Price <gourry@...rry.net> wrote:
> > If the intent is to load and re-use a single foreign-OS library, this
> > change seems to be the question of "why not allow multiple ranges?",
> > and you'd be on your way to reimplementing seccomp or BPF.
> 
> The problem with seccomp BPF is that the filter is inherited across
> fork/exec which can't be used with SIGSYS and fine-grained custom
> user-space policy. USER_DISPATCH is much more flexible in this regard.
> 

It's also fundamentally not a security-sufficient interposition system.

> Re allocating resources outside of monitored bounds: this is exactly
> what syscall filtering is for, right :)

No.  SUD's purpose is to catch foreign-OS syscall execution.

You *can* do hacky stuff like interposing on libc, but it you can do
hacky things with bpf too.

> If we install a filter on a library/sandbox, we can control and
> prevent it from allocating any more executable pages outside of the
> range.
>
> The motivation is sandboxing of libraries loaded within a known fixed
> address range, while non-sandboxed code can live on both sides of the
> sandboxed range (say, non-pie binary at lower addresses, and libc at
> higher addresses).

My question is why you aren't doing the opposite.  Exempt the known good
ranges and hook everything else.  This actually makes it easier to
ensure the software you're hooking doesn't escape interposition.

You can use the SIGSYS register data (instruction pointer) to determine
whether to act on the syscall or pass it through.

Like I said, I don't necessarily disagree with the change, just a bit
concerned about the direction this takes SUD.  It's not a sufficient
interface to isolate the behavior of a single library, and this change
naturally begs the question "If we do this, why not implement an entire
multi-range filtering system? Why stop at one range?"

~Gregory

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ