From: Ben Hutchings <bhutchings@solarflare.com>
To: Indan Zupancic <indan@nul.nu>
Cc: Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com,
netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de,
davem@davemloft.net, hpa@zytor.com, mingo@redhat.com,
oleg@redhat.com, peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
keescook@chromium.org
Subject: [kernel-hardening] Re: [PATCH v10 05/11] seccomp: add system call filtering using BPF
Date: Wed, 22 Feb 2012 14:23:46 +0000 [thread overview]
Message-ID: <1329920626.3258.174.camel@deadeye> (raw)
In-Reply-To: <38d58caa17befe422065efe5dc451a34.squirrel@webmail.greenhost.nl>
On Wed, 2012-02-22 at 09:19 +0100, Indan Zupancic wrote:
[...]
> Alternative approach: Tell the arch at filter install time and only run the
> filters with the same arch as the current system call. If no filters are run,
> deny the systemcall.
>
> Advantages:
>
> - Filters don't have to check the arch every syscall entry.
>
> - Secure by default. Filters don't have to do anything arch specific to
> be secure, no surprises possible.
>
> - If a new arch comes into existence, there is no chance of old filters
> becoming buggy and insecure. This is especially true for archs that
> had only one mode, but added another one later on: Old filters had no
> need to check the mode at all.
[...]
What about when there are multiple layers of restrictions? So long as
any one layer covers the new architecture, there is no default-deny even
though the other layers might not cover it.
I would have thought the way to make sure the architecture is always
checked is to pack it together with the syscall number.
Ben.
--
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
WARNING: multiple messages have this Message-ID (diff)
From: Ben Hutchings <bhutchings@solarflare.com>
To: Indan Zupancic <indan@nul.nu>
Cc: Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com,
netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de,
davem@davemloft.net, hpa@zytor.com, mingo@redhat.com,
oleg@redhat.com, peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
keescook@chromium.org
Subject: Re: [PATCH v10 05/11] seccomp: add system call filtering using BPF
Date: Wed, 22 Feb 2012 14:23:46 +0000 [thread overview]
Message-ID: <1329920626.3258.174.camel@deadeye> (raw)
In-Reply-To: <38d58caa17befe422065efe5dc451a34.squirrel@webmail.greenhost.nl>
On Wed, 2012-02-22 at 09:19 +0100, Indan Zupancic wrote:
[...]
> Alternative approach: Tell the arch at filter install time and only run the
> filters with the same arch as the current system call. If no filters are run,
> deny the systemcall.
>
> Advantages:
>
> - Filters don't have to check the arch every syscall entry.
>
> - Secure by default. Filters don't have to do anything arch specific to
> be secure, no surprises possible.
>
> - If a new arch comes into existence, there is no chance of old filters
> becoming buggy and insecure. This is especially true for archs that
> had only one mode, but added another one later on: Old filters had no
> need to check the mode at all.
[...]
What about when there are multiple layers of restrictions? So long as
any one layer covers the new architecture, there is no default-deny even
though the other layers might not cover it.
I would have thought the way to make sure the architecture is always
checked is to pack it together with the syscall number.
Ben.
--
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
WARNING: multiple messages have this Message-ID (diff)
From: Ben Hutchings <bhutchings@solarflare.com>
To: Indan Zupancic <indan@nul.nu>
Cc: Will Drewry <wad@chromium.org>, <linux-kernel@vger.kernel.org>,
<linux-arch@vger.kernel.org>, <linux-doc@vger.kernel.org>,
<kernel-hardening@lists.openwall.com>, <netdev@vger.kernel.org>,
<x86@kernel.org>, <arnd@arndb.de>, <davem@davemloft.net>,
<hpa@zytor.com>, <mingo@redhat.com>, <oleg@redhat.com>,
<peterz@infradead.org>, <rdunlap@xenotime.net>,
<mcgrathr@chromium.org>, <tglx@linutronix.de>, <luto@mit.edu>,
<eparis@redhat.com>, <serge.hallyn@canonical.com>,
<djm@mindrot.org>, <scarybeasts@gmail.com>, <pmoore@redhat.com>,
<akpm@linux-foundation.org>, <corbet@lwn.net>,
<eric.dumazet@gmail.com>, <markus@chromium.org>,
<keescook@chromium.org>
Subject: Re: [PATCH v10 05/11] seccomp: add system call filtering using BPF
Date: Wed, 22 Feb 2012 14:23:46 +0000 [thread overview]
Message-ID: <1329920626.3258.174.camel@deadeye> (raw)
In-Reply-To: <38d58caa17befe422065efe5dc451a34.squirrel@webmail.greenhost.nl>
On Wed, 2012-02-22 at 09:19 +0100, Indan Zupancic wrote:
[...]
> Alternative approach: Tell the arch at filter install time and only run the
> filters with the same arch as the current system call. If no filters are run,
> deny the systemcall.
>
> Advantages:
>
> - Filters don't have to check the arch every syscall entry.
>
> - Secure by default. Filters don't have to do anything arch specific to
> be secure, no surprises possible.
>
> - If a new arch comes into existence, there is no chance of old filters
> becoming buggy and insecure. This is especially true for archs that
> had only one mode, but added another one later on: Old filters had no
> need to check the mode at all.
[...]
What about when there are multiple layers of restrictions? So long as
any one layer covers the new architecture, there is no default-deny even
though the other layers might not cover it.
I would have thought the way to make sure the architecture is always
checked is to pack it together with the syscall number.
Ben.
--
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
next prev parent reply other threads:[~2012-02-22 14:23 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-21 17:30 [kernel-hardening] [PATCH v10 01/11] sk_run_filter: add support for custom load_pointer Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 02/11] seccomp: kill the seccomp_t typedef Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 03/11] asm/syscall.h: add syscall_get_arch Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 18:46 ` [kernel-hardening] " Roland McGrath
2012-02-21 18:46 ` Roland McGrath
2012-02-21 18:57 ` [kernel-hardening] " Will Drewry
2012-02-21 18:57 ` Will Drewry
2012-02-21 19:01 ` [kernel-hardening] [PATCH v11 " Will Drewry
2012-02-21 19:01 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 04/11] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 05/11] seccomp: add system call filtering using BPF Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-22 6:32 ` [kernel-hardening] " H. Peter Anvin
2012-02-22 6:32 ` H. Peter Anvin
2012-02-22 19:48 ` [kernel-hardening] " Will Drewry
2012-02-22 19:48 ` Will Drewry
2012-02-22 8:19 ` [kernel-hardening] " Indan Zupancic
2012-02-22 8:19 ` Indan Zupancic
2012-02-22 8:19 ` Indan Zupancic
2012-02-22 8:19 ` Indan Zupancic
2012-02-22 14:23 ` Ben Hutchings [this message]
2012-02-22 14:23 ` Ben Hutchings
2012-02-22 14:23 ` Ben Hutchings
2012-02-22 19:47 ` [kernel-hardening] " Will Drewry
2012-02-22 19:47 ` Will Drewry
2012-02-22 23:46 ` [kernel-hardening] " Indan Zupancic
2012-02-22 23:46 ` Indan Zupancic
2012-02-22 23:51 ` [kernel-hardening] " Andrew Lutomirski
2012-02-22 23:51 ` Andrew Lutomirski
2012-02-23 0:08 ` [kernel-hardening] " Indan Zupancic
2012-02-23 0:08 ` Indan Zupancic
2012-02-23 1:07 ` [kernel-hardening] " H. Peter Anvin
2012-02-23 1:07 ` H. Peter Anvin
2012-02-22 23:03 ` [kernel-hardening] " Indan Zupancic
2012-02-22 23:03 ` Indan Zupancic
2012-02-22 19:47 ` [kernel-hardening] " Will Drewry
2012-02-22 19:47 ` Will Drewry
2012-02-22 19:53 ` [kernel-hardening] " H. Peter Anvin
2012-02-22 19:53 ` H. Peter Anvin
2012-02-22 20:01 ` [kernel-hardening] " Will Drewry
2012-02-22 20:01 ` Will Drewry
2012-02-23 0:25 ` [kernel-hardening] " Indan Zupancic
2012-02-23 0:25 ` Indan Zupancic
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 06/11] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 22:41 ` [kernel-hardening] " Kees Cook
2012-02-21 22:41 ` Kees Cook
2012-02-21 22:48 ` [kernel-hardening] " Will Drewry
2012-02-21 22:48 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 07/11] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-22 8:34 ` [kernel-hardening] " Indan Zupancic
2012-02-22 8:34 ` Indan Zupancic
2012-02-22 8:34 ` Indan Zupancic
2012-02-22 8:34 ` Indan Zupancic
2012-02-22 19:48 ` [kernel-hardening] " Will Drewry
2012-02-22 19:48 ` Will Drewry
2012-02-22 23:38 ` [kernel-hardening] " Andrew Lutomirski
2012-02-22 23:38 ` Andrew Lutomirski
2012-02-22 23:53 ` [kernel-hardening] " Kees Cook
2012-02-22 23:53 ` Kees Cook
2012-02-23 0:05 ` [kernel-hardening] " Will Drewry
2012-02-23 0:05 ` Will Drewry
2012-02-23 0:08 ` [kernel-hardening] " Kees Cook
2012-02-23 0:08 ` Kees Cook
2012-02-23 0:29 ` [kernel-hardening] " H. Peter Anvin
2012-02-23 0:29 ` H. Peter Anvin
2012-02-23 0:50 ` [kernel-hardening] " Roland McGrath
2012-02-23 0:50 ` Roland McGrath
2012-02-23 1:06 ` [kernel-hardening] " H. Peter Anvin
2012-02-23 1:06 ` H. Peter Anvin
2012-02-23 17:38 ` [kernel-hardening] " Roland McGrath
2012-02-23 17:38 ` Roland McGrath
2012-02-23 19:26 ` [kernel-hardening] " Will Drewry
2012-02-23 19:26 ` Will Drewry
2012-02-23 22:15 ` [kernel-hardening] " Indan Zupancic
2012-02-23 22:15 ` Indan Zupancic
2012-02-23 22:33 ` [kernel-hardening] " Markus Gutschke
2012-02-23 22:33 ` Markus Gutschke
2012-02-23 22:36 ` [kernel-hardening] " Will Drewry
2012-02-23 22:36 ` Will Drewry
2012-02-27 12:32 ` [kernel-hardening] " Indan Zupancic
2012-02-27 12:32 ` Indan Zupancic
2012-02-27 16:21 ` [kernel-hardening] " Will Drewry
2012-02-27 16:21 ` Will Drewry
2012-02-23 22:34 ` [kernel-hardening] " Will Drewry
2012-02-23 16:44 ` Will Drewry
2012-02-23 16:44 ` Will Drewry
2012-02-23 0:11 ` [kernel-hardening] " Roland McGrath
2012-02-23 0:11 ` Roland McGrath
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 08/11] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 09/11] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-22 12:22 ` [kernel-hardening] " Indan Zupancic
2012-02-22 12:22 ` Indan Zupancic
2012-02-22 12:22 ` Indan Zupancic
2012-02-22 12:22 ` Indan Zupancic
2012-02-22 19:47 ` [kernel-hardening] " Will Drewry
2012-02-22 19:47 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 10/11] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 17:30 ` [kernel-hardening] [PATCH v10 11/11] Documentation: prctl/seccomp_filter Will Drewry
2012-02-21 17:30 ` Will Drewry
2012-02-21 23:12 ` [kernel-hardening] " Kees Cook
2012-02-21 23:12 ` Kees Cook
2012-02-22 3:41 ` [kernel-hardening] " Will Drewry
2012-02-22 3:41 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1329920626.3258.174.camel@deadeye \
--to=bhutchings@solarflare.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=indan@nul.nu \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.