[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F506EE2.1050705@zytor.com>
Date: Thu, 01 Mar 2012 22:55:30 -0800
From: "H. Peter Anvin" <hpa@...or.com>
To: Indan Zupancic <indan@....nu>
CC: Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
kernel-hardening@...ts.openwall.com, netdev@...r.kernel.org,
x86@...nel.org, arnd@...db.de, davem@...emloft.net,
mingo@...hat.com, oleg@...hat.com, peterz@...radead.org,
rdunlap@...otime.net, mcgrathr@...omium.org, tglx@...utronix.de,
luto@....edu, eparis@...hat.com, serge.hallyn@...onical.com,
djm@...drot.org, scarybeasts@...il.com, pmoore@...hat.com,
akpm@...ux-foundation.org, corbet@....net, eric.dumazet@...il.com,
markus@...omium.org, coreyb@...ux.vnet.ibm.com,
keescook@...omium.org
Subject: Re: [PATCH v12 06/13] seccomp: add system call filtering using BPF
On 03/01/2012 10:43 PM, Indan Zupancic wrote:
> On Fri, March 2, 2012 06:52, H. Peter Anvin wrote:
>> On 03/01/2012 09:45 PM, Indan Zupancic wrote:
>>>
>>>> + * @nr: the system call number
>>>> + * @arch: indicates system call convention as an AUDIT_ARCH_* value
>>>> + * as defined in <linux/audit.h>.
>>>> + * @instruction_pointer: at the time of the system call.
>>>
>>> If the vDSO is used this will always be the same, so what good is this?
>>> I haven't gotten an answer to this yet.
>>>
>>
>> And if it isn't, or you're on an architecture which doesn't use the vdso
>> as the launching point, it's not.
>
> True, but then what?
>
Ok, fail on my part - I misread the above to refer to @arch, not
@instruction_pointer.
>> -- Pin is a great example.
> Is that http://www.pintool.org/?
>
> Can you explain how knowing the IP is useful for Pin?
>
> All I am asking for is just one use case for providing the IP. Is that
> asking for too much?
However, it still applies. For something like Pin, Pin may want to trap
on all or a subset from the instrumented program, while the
instrumentation code -- which lives in the same address space -- needs
to execute those same instructions.
Yes, it's useless for *security* (unless perhaps if you keep very strict
tabs on the flow of control by using debug registers, dynamic
translation or whatnot), but it can be highly useful for
*instrumentation*, where you want to analyze the behavior of a
non-malicious program.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists