| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEivzxcEXqJUPKrHS2buKmMTqkvtdbO1ng+RHTNZKwRrTz0h3g@mail.gmail.com>
Date: Wed, 3 Dec 2025 16:25:03 +0100
From: Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
To: Kees Cook <kees@...nel.org>
Cc: linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...capital.net>, Will Drewry <wad@...omium.org>, Jonathan Corbet <corbet@....net>,
Shuah Khan <shuah@...nel.org>, Tycho Andersen <tycho@...ho.pizza>, Andrei Vagin <avagin@...il.com>,
Christian Brauner <brauner@...nel.org>, Stéphane Graber <stgraber@...raber.org>
Subject: Re: [PATCH v1 2/6] seccomp: prepare seccomp_run_filters() to support
more than one listener
On Tue, Dec 2, 2025 at 9:26 PM Kees Cook <kees@...nel.org> wrote:
>
> On Mon, Dec 01, 2025 at 01:23:59PM +0100, Alexander Mikhalitsyn wrote:
> > Prepare seccomp_run_filters() function to support more than one listener
> > in the seccomp tree. In this patch, we only introduce a new
> > struct seccomp_filter_matches with kdoc and modify seccomp_run_filters()
> > signature correspondingly.
> >
> > No functional change intended.
> >
> > Cc: linux-doc@...r.kernel.org
> > Cc: linux-kernel@...r.kernel.org
> > Cc: Kees Cook <kees@...nel.org>
> > Cc: Andy Lutomirski <luto@...capital.net>
> > Cc: Will Drewry <wad@...omium.org>
> > Cc: Jonathan Corbet <corbet@....net>
> > Cc: Shuah Khan <shuah@...nel.org>
> > Cc: Tycho Andersen <tycho@...ho.pizza>
> > Cc: Andrei Vagin <avagin@...il.com>
> > Cc: Christian Brauner <brauner@...nel.org>
> > Cc: Stéphane Graber <stgraber@...raber.org>
> > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
> > ---
> > kernel/seccomp.c | 35 +++++++++++++++++++++++++++++++----
> > 1 file changed, 31 insertions(+), 4 deletions(-)
> >
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index f944ea5a2716..c9a1062a53bd 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -237,6 +237,9 @@ struct seccomp_filter {
> > /* Limit any path through the tree to 256KB worth of instructions. */
> > #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
> >
> > +/* Limit number of listeners through the tree. */
> > +#define MAX_LISTENERS_PER_PATH 8
> > +
> > /*
> > * Endianness is explicitly ignored and left for BPF program authors to manage
> > * as per the specific architecture.
> > @@ -391,18 +394,38 @@ static inline bool seccomp_cache_check_allow(const struct seccomp_filter *sfilte
> > }
> > #endif /* SECCOMP_ARCH_NATIVE */
> >
> > +/**
> > + * struct seccomp_filter_matches - container for seccomp filter match results
> > + *
> > + * @n: A number of filters matched.
> > + * @filters: An array of (struct seccomp_filter) pointers.
> > + * Holds pointers to filters that matched during evaluation.
> > + * A first one in the array is the one with the least permissive
> > + * action result.
> > + *
> > + * If final action result is less (or more) permissive than SECCOMP_RET_USER_NOTIF,
> > + * only the most restrictive filter is stored in the array's first element.
> > + * If final action result is SECCOMP_RET_USER_NOTIF, we need to track
> > + * all filters that resulted in the same action to support multiple listeners
> > + * in seccomp tree.
> > + */
> > +struct seccomp_filter_matches {
> > + unsigned char n;
> > + struct seccomp_filter *filters[MAX_LISTENERS_PER_PATH];
> > +};
> > +
> > #define ACTION_ONLY(ret) ((s32)((ret) & (SECCOMP_RET_ACTION_FULL)))
> > /**
> > * seccomp_run_filters - evaluates all seccomp filters against @sd
> > * @sd: optional seccomp data to be passed to filters
> > - * @match: stores struct seccomp_filter that resulted in the return value,
> > + * @matches: array of struct seccomp_filter pointers that resulted in the return value,
> > * unless filter returned SECCOMP_RET_ALLOW, in which case it will
> > * be unchanged.
> > *
> > * Returns valid seccomp BPF response codes.
> > */
> > static u32 seccomp_run_filters(const struct seccomp_data *sd,
> > - struct seccomp_filter **match)
> > + struct seccomp_filter_matches *matches)
> > {
> > u32 ret = SECCOMP_RET_ALLOW;
> > /* Make sure cross-thread synced filter points somewhere sane. */
> > @@ -425,7 +448,8 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
> >
> > if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
> > ret = cur_ret;
> > - *match = f;
> > + matches->n = 1;
> > + matches->filters[0] = f;
> > }
> > }
> > return ret;
> > @@ -1252,6 +1276,7 @@ static int __seccomp_filter(int this_syscall, const bool recheck_after_trace)
> > {
> > u32 filter_ret, action;
> > struct seccomp_data sd;
> > + struct seccomp_filter_matches matches = {};
>
Hi Kees,
Thanks for looking into this stuff! ;)
> I was surprised to see this didn't induce a stack protector check (due
> to the array use). It does, however, expand the work done to clear local
> variables (i.e. this adds 9 unsigned long zeroings to the default case).
Actually, by saying this you've inspired me to look at this stuff with
a fresh mind again
and I have a feeling that I can probably make it work with just one additional
struct seccomp_filter pointer on the stack, instead of adding extra 8
pointers... :)
Let me make another iteration on this and send a -v3 then.
>I was surprised to see this didn't induce a stack protector check (due
> to the array use).
Also, sorry if my question is stupid, but what do you mean by stack
protector check in
this case? Just a check for an array index before writing to it? Or
something more generic?
>
> Regardless, I'll read this thread more closely in time for the LPC
> session; I'm not exactly opposed to allowing multiple listeners, but I
> do want to meditate on the safety logic (which I see you've spent time
> thinking about too).
Thanks, Kees!
>
> Thanks!
Kind regards,
Alex
>
> -Kees
>
> --
> Kees Cook
Powered by blists - more mailing lists