From mboxrd@z Thu Jan 1 00:00:00 1970 Received: with ECARTIS (v1.0.0; list linux-mips); Wed, 06 May 2009 22:56:28 +0100 (BST) Received: from mx2.mail.elte.hu ([157.181.151.9]:43915 "EHLO mx2.mail.elte.hu" rhost-flags-OK-OK-OK-OK) by ftp.linux-mips.org with ESMTP id S20024638AbZEFV4W (ORCPT ); Wed, 6 May 2009 22:56:22 +0100 Received: from elvis.elte.hu ([157.181.1.14]) by mx2.mail.elte.hu with esmtp (Exim) id 1M1p4p-0003wl-Jl from ; Wed, 06 May 2009 23:55:06 +0200 Received: by elvis.elte.hu (Postfix, from userid 1004) id D45DC3E213A; Wed, 6 May 2009 23:54:49 +0200 (CEST) Date: Wed, 6 May 2009 23:54:50 +0200 From: Ingo Molnar To: Markus Gutschke =?utf-8?B?KOmhp+Wtn+WLpCk=?= Cc: Linus Torvalds , Roland McGrath , Andrew Morton , x86@kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org, linux-mips@linux-mips.org, sparclinux@vger.kernel.org, linuxppc-dev@ozlabs.org Subject: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole Message-ID: <20090506215450.GA9537@elte.hu> References: <20090228030226.C0D34FC3DA@magilla.sf.frob.com> <20090228030413.5B915FC3DA@magilla.sf.frob.com> <20090228072554.CFEA6FC3DA@magilla.sf.frob.com> <904b25810905061146ged374f2se0afd24e9e3c1f06@mail.gmail.com> <20090506212913.GC4861@elte.hu> <904b25810905061446m73c42040nfff47c9b8950bcfa@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <904b25810905061446m73c42040nfff47c9b8950bcfa@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Received-SPF: neutral (mx2: 157.181.1.14 is neither permitted nor denied by domain of elte.hu) client-ip=157.181.1.14; envelope-from=mingo@elte.hu; helo=elvis.elte.hu; X-ELTE-VirusStatus: clean X-ELTE-SpamScore: -1.5 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=-1.5 required=5.9 tests=BAYES_00 autolearn=no SpamAssassin version=3.2.3 -1.5 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] Return-Path: X-Envelope-To: <"|/home/ecartis/ecartis -s linux-mips"> (uid 0) X-Orcpt: rfc822;linux-mips@linux-mips.org Original-Recipient: rfc822;linux-mips@linux-mips.org X-archive-position: 22651 X-ecartis-version: Ecartis v1.0.0 Sender: linux-mips-bounce@linux-mips.org Errors-to: linux-mips-bounce@linux-mips.org X-original-sender: mingo@elte.hu Precedence: bulk X-list: linux-mips * Markus Gutschke (顧孟勤) wrote: > On Wed, May 6, 2009 at 14:29, Ingo Molnar wrote: > > That's a pretty interesting usage. What would be fallback mode you > > are using if the kernel doesnt have seccomp built in? Completely > > non-sandboxed? Or a ptrace/PTRACE_SYSCALL based sandbox? > > Ptrace has performance and/or reliability problems when used to > sandbox threaded applications due to potential race conditions > when inspecting system call arguments. We hope that we can avoid > this problem with seccomp. It is very attractive that kernel > automatically terminates any application that violates the very > well-defined constraints of the sandbox. > > In general, we are currently exploring different options based on > general availability, functionality, and complexity of > implementation. Seccomp is a good middle ground that we expect to > be able to use in the medium term to provide an acceptable > solution for a large segment of Linux users. Although the > restriction to just four unfiltered system calls is painful. Which other system calls would you like to use? Futexes might be one, for fast synchronization primitives? Ingo From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.mail.elte.hu (mx2.mail.elte.hu [157.181.151.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id F115CDDE19 for ; Thu, 7 May 2009 07:56:27 +1000 (EST) Date: Wed, 6 May 2009 23:54:50 +0200 From: Ingo Molnar To: Markus Gutschke =?utf-8?B?KOmhp+Wtn+WLpCk=?= Subject: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole Message-ID: <20090506215450.GA9537@elte.hu> References: <20090228030226.C0D34FC3DA@magilla.sf.frob.com> <20090228030413.5B915FC3DA@magilla.sf.frob.com> <20090228072554.CFEA6FC3DA@magilla.sf.frob.com> <904b25810905061146ged374f2se0afd24e9e3c1f06@mail.gmail.com> <20090506212913.GC4861@elte.hu> <904b25810905061446m73c42040nfff47c9b8950bcfa@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 In-Reply-To: <904b25810905061446m73c42040nfff47c9b8950bcfa@mail.gmail.com> Cc: linux-mips@linux-mips.org, x86@kernel.org, linux-kernel@vger.kernel.org, linuxppc-dev@ozlabs.org, sparclinux@vger.kernel.org, Andrew Morton , Linus Torvalds , stable@kernel.org, Roland McGrath List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , * Markus Gutschke (顧孟勤) wrote: > On Wed, May 6, 2009 at 14:29, Ingo Molnar wrote: > > That's a pretty interesting usage. What would be fallback mode you > > are using if the kernel doesnt have seccomp built in? Completely > > non-sandboxed? Or a ptrace/PTRACE_SYSCALL based sandbox? > > Ptrace has performance and/or reliability problems when used to > sandbox threaded applications due to potential race conditions > when inspecting system call arguments. We hope that we can avoid > this problem with seccomp. It is very attractive that kernel > automatically terminates any application that violates the very > well-defined constraints of the sandbox. > > In general, we are currently exploring different options based on > general availability, functionality, and complexity of > implementation. Seccomp is a good middle ground that we expect to > be able to use in the medium term to provide an acceptable > solution for a large segment of Linux users. Although the > restriction to just four unfiltered system calls is painful. Which other system calls would you like to use? Futexes might be one, for fast synchronization primitives? Ingo From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ingo Molnar Date: Wed, 06 May 2009 21:54:50 +0000 Subject: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole Message-Id: <20090506215450.GA9537@elte.hu> List-Id: References: <20090228030226.C0D34FC3DA@magilla.sf.frob.com> <20090228030413.5B915FC3DA@magilla.sf.frob.com> <20090228072554.CFEA6FC3DA@magilla.sf.frob.com> <904b25810905061146ged374f2se0afd24e9e3c1f06@mail.gmail.com> <20090506212913.GC4861@elte.hu> <904b25810905061446m73c42040nfff47c9b8950bcfa@mail.gmail.com> In-Reply-To: <904b25810905061446m73c42040nfff47c9b8950bcfa@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: Markus Gutschke =?utf-8?B?KOmhp+Wtn+WLpCk=?= Cc: Linus Torvalds , Roland McGrath , Andrew Morton , x86@kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org, linux-mips@linux-mips.org, sparclinux@vger.kernel.org, linuxppc-dev@ozlabs.org * Markus Gutschke (顧孟勤) wrote: > On Wed, May 6, 2009 at 14:29, Ingo Molnar wrote: > > That's a pretty interesting usage. What would be fallback mode you > > are using if the kernel doesnt have seccomp built in? Completely > > non-sandboxed? Or a ptrace/PTRACE_SYSCALL based sandbox? > > Ptrace has performance and/or reliability problems when used to > sandbox threaded applications due to potential race conditions > when inspecting system call arguments. We hope that we can avoid > this problem with seccomp. It is very attractive that kernel > automatically terminates any application that violates the very > well-defined constraints of the sandbox. > > In general, we are currently exploring different options based on > general availability, functionality, and complexity of > implementation. Seccomp is a good middle ground that we expect to > be able to use in the medium term to provide an acceptable > solution for a large segment of Linux users. Although the > restriction to just four unfiltered system calls is painful. Which other system calls would you like to use? Futexes might be one, for fast synchronization primitives? Ingo