All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@elte.hu>
To: Andrea Arcangeli <andrea@cpushare.com>
Cc: Andrew Morton <akpm@osdl.org>, linux-kernel@vger.kernel.org
Subject: Re: seccomp for 2.6.11-rc1-bk8
Date: Fri, 21 Jan 2005 13:47:01 +0100	[thread overview]
Message-ID: <20050121124701.GA5179@elte.hu> (raw)
In-Reply-To: <20050121120325.GA2934@elte.hu>


* Ingo Molnar <mingo@elte.hu> wrote:

> > This is the seccomp patch ported to 2.6.11-rc1-bk8, that I need for
> > Cpushare (until trusted computing will hit the hardware market). 
> > [...]
> 
> why do you need any kernel code for this? This seems to be a limited
> ptrace implementation: restricting untrusted userspace code to only be
> able to exec read/write/sigreturn.
> 
> So this patch, unless i'm missing something, duplicates in essence what
> ptrace can do [...]

there's one thing ptrace wont do: if the ptrace parent dies unexpectedly
and the child was 'running' (there is a small window where the child
might not be stopped and where this may happen) then the child can get
runaway. While i think this is theoretical (UML doesnt suffer from this
problem), it is simple to fix - find below a proof-of-concept patch that
introduces PTRACE_ATTACH_JAIL - ptraced children can never escape out of
such a jail. (barely tested - but you get the idea.)

	Ingo

Signed-off-by: Ingo Molnar <mingo@elte.hu>

--- kernel/ptrace.c.orig
+++ kernel/ptrace.c
@@ -49,10 +49,20 @@ void ptrace_untrace(task_t *child)
 {
 	spin_lock(&child->sighand->siglock);
 	if (child->state == TASK_TRACED) {
-		if (child->signal->flags & SIGNAL_STOP_STOPPED) {
+		/*
+		 * Child must be killed if parent dies unexpectedly:
+		 */
+		if (child->signal->flags & SIGNAL_PTRACE_ONLY) {
 			child->state = TASK_STOPPED;
-		} else {
+			spin_unlock(&child->sighand->siglock);
+			force_sig_specific(SIGKILL, child);
 			signal_wake_up(child, 1);
+		} else {
+			if (child->signal->flags & SIGNAL_STOP_STOPPED) {
+				child->state = TASK_STOPPED;
+			} else {
+				signal_wake_up(child, 1);
+			}
 		}
 	}
 	spin_unlock(&child->sighand->siglock);
@@ -117,7 +127,7 @@ int ptrace_check_attach(struct task_stru
 	return ret;
 }
 
-int ptrace_attach(struct task_struct *task)
+static int __ptrace_attach(struct task_struct *task, int jail)
 {
 	int retval;
 	task_lock(task);
@@ -154,8 +164,12 @@ int ptrace_attach(struct task_struct *ta
 
 	write_lock_irq(&tasklist_lock);
 	__ptrace_link(task, current);
+	if (jail) {
+		spin_lock(&task->sighand->siglock);
+		task->signal->flags |= SIGNAL_PTRACE_ONLY;
+		spin_unlock(&task->sighand->siglock);
+	}
 	write_unlock_irq(&tasklist_lock);
-
 	force_sig_specific(SIGSTOP, task);
 	return 0;
 
@@ -164,6 +178,16 @@ bad:
 	return retval;
 }
 
+int ptrace_attach(struct task_struct *task)
+{
+	return __ptrace_attach(task, 0);
+}
+
+int ptrace_attach_jail(struct task_struct *task)
+{
+	return __ptrace_attach(task, 1);
+}
+
 int ptrace_detach(struct task_struct *child, unsigned int data)
 {
 	if ((unsigned long) data > _NSIG)
--- arch/i386/kernel/ptrace.c.orig
+++ arch/i386/kernel/ptrace.c
@@ -388,6 +388,10 @@ asmlinkage int sys_ptrace(long request, 
 		ret = ptrace_attach(child);
 		goto out_tsk;
 	}
+	if (request == PTRACE_ATTACH_JAIL) {
+		ret = ptrace_attach_jail(child);
+		goto out_tsk;
+	}
 
 	ret = ptrace_check_attach(child, request == PTRACE_KILL);
 	if (ret < 0)
--- include/linux/ptrace.h.orig
+++ include/linux/ptrace.h
@@ -18,6 +18,7 @@
 
 #define PTRACE_ATTACH		0x10
 #define PTRACE_DETACH		0x11
+#define PTRACE_ATTACH_JAIL	0x12
 
 #define PTRACE_SYSCALL		  24
 
@@ -79,6 +80,7 @@
 extern int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst, int len);
 extern int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long dst, int len);
 extern int ptrace_attach(struct task_struct *tsk);
+extern int ptrace_attach_jail(struct task_struct *tsk);
 extern int ptrace_detach(struct task_struct *, unsigned int);
 extern void ptrace_disable(struct task_struct *);
 extern int ptrace_check_attach(struct task_struct *task, int kill);
--- include/linux/sched.h.orig
+++ include/linux/sched.h
@@ -338,6 +338,7 @@ struct signal_struct {
 #define SIGNAL_STOP_DEQUEUED	0x00000002 /* stop signal dequeued */
 #define SIGNAL_STOP_CONTINUED	0x00000004 /* SIGCONT since WCONTINUED reap */
 #define SIGNAL_GROUP_EXIT	0x00000008 /* group exit in progress */
+#define SIGNAL_PTRACE_ONLY	0x00000010 /* kill on ptrace parent death */
 
 
 /*

  reply	other threads:[~2005-01-21 12:48 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-21 10:06 seccomp for 2.6.11-rc1-bk8 Andrea Arcangeli
2005-01-21 12:03 ` Ingo Molnar
2005-01-21 12:47   ` Ingo Molnar [this message]
2005-01-21 12:55     ` Ingo Molnar
2005-01-21 21:31       ` Roland McGrath
2005-01-22  3:25         ` Andrea Arcangeli
2005-01-21 20:24     ` Andrea Arcangeli
2005-01-21 17:39   ` Chris Wright
2005-01-21 18:39     ` Rik van Riel
2005-01-21 18:50       ` Chris Wright
2005-01-21 19:55         ` Ingo Molnar
2005-01-21 20:34           ` Andrea Arcangeli
2005-01-21 20:54             ` Ingo Molnar
2005-01-22  2:51               ` Andrea Arcangeli
2005-01-22 10:32             ` Pavel Machek
2005-01-22 17:25               ` Andrea Arcangeli
2005-01-22 19:42                 ` Pavel Machek
2005-01-22 23:34                   ` Andrea Arcangeli
2005-01-23  0:07                     ` Pavel Machek
2005-01-23  0:46                       ` Andrea Arcangeli
2005-01-23  0:43                     ` Rik van Riel
2005-01-23  0:52                       ` Andrea Arcangeli
2005-01-23  4:43                         ` Valdis.Kletnieks
2005-01-23  6:11                           ` Andrea Arcangeli
2005-01-21 18:59     ` David Wagner
2005-01-21 19:17       ` Chris Wright
2005-01-23  7:34         ` David Wagner
2005-01-24 15:10           ` Daniel Jacobowitz
2005-02-15  9:25           ` Andrea Arcangeli
2005-02-25 19:01             ` David Wagner
2005-01-21 12:11 ` Pavel Machek
2005-02-15  9:32 ` seccomp for 2.6.11-rc4 Andrea Arcangeli
2005-02-16  5:25   ` Herbert Poetzl
2005-02-18  2:25     ` Andrea Arcangeli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050121124701.GA5179@elte.hu \
    --to=mingo@elte.hu \
    --cc=akpm@osdl.org \
    --cc=andrea@cpushare.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.