From: Oleg Nesterov <oleg@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Alexei Starovoitov <ast@plumgrid.com>,
Andrew Morton <akpm@linux-foundation.org>,
Daniel Borkmann <dborkman@redhat.com>,
Will Drewry <wad@chromium.org>, Julien Tinnes <jln@chromium.org>,
David Drysdale <drysdale@google.com>,
Linux API <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
linux-mips@linux-mips.org,
linux-arch <linux-arch@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Date: Wed, 25 Jun 2014 19:24:10 +0200 [thread overview]
Message-ID: <20140625172410.GA17133@redhat.com> (raw)
In-Reply-To: <CAGXu5jLHDew1fifGY_mWgwcH7evm0T8rqSnBrw4XpoAXGK+t-Q@mail.gmail.com>
On 06/25, Kees Cook wrote:
>
> On Wed, Jun 25, 2014 at 9:52 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > Yes, at least this should close the race with suid-exec. And there are no
> > other users. Except apparmor, and I hope you will check it because I simply
> > do not know what it does ;)
> >
> >> I wonder if changes to nnp need to "flushed" during syscall entry
> >> instead of getting updated externally/asynchronously? That way it
> >> won't be out of sync with the seccomp mode/filters.
> >>
> >> Perhaps secure computing needs to check some (maybe seccomp-only)
> >> atomic flags and flip on the "real" nnp if found?
> >
> > Not sure I understand you, could you clarify?
>
> Instead of having TSYNC change the nnp bit, it can set a new flag, say:
>
> task->seccomp.flags |= SECCOMP_NEEDS_NNP;
>
> This would be set along with seccomp.mode, seccomp.filter, and
> TIF_SECCOMP. Then, during the next secure_computing() call that thread
> makes, it would check the flag:
>
> if (task->seccomp.flags & SECCOMP_NEEDS_NNP)
> task->nnp = 1;
>
> This means that nnp couldn't change in the middle of a running syscall.
Aha, so you were worried about the same thing. Not sure we need this,
but at least I understand you and...
> Hmmm. Perhaps this doesn't solve anything, though? Perhaps my proposal
> above would actually make things worse, since now we'd have a thread
> with seccomp set up, and no nnp. If it was in the middle of exec,
> we're still causing a problem.
Yes ;)
> I think we'd also need a way to either delay the seccomp changes, or
> to notice this condition during exec. Bleh.
Hmm. confused again,
> What actually happens with a multi-threaded process calls exec? I
> assume all the other threads are destroyed?
Yes. But this is the point-of-no-return, de_thread() is called after the execing
thared has already passed (say) check_unsafe_exec().
However, do_execve() takes cred_guard_mutex at the start in prepare_bprm_creds()
and drops it in install_exec_creds(), so it should solve the problem?
Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Date: Wed, 25 Jun 2014 19:24:10 +0200 [thread overview]
Message-ID: <20140625172410.GA17133@redhat.com> (raw)
In-Reply-To: <CAGXu5jLHDew1fifGY_mWgwcH7evm0T8rqSnBrw4XpoAXGK+t-Q@mail.gmail.com>
On 06/25, Kees Cook wrote:
>
> On Wed, Jun 25, 2014 at 9:52 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > Yes, at least this should close the race with suid-exec. And there are no
> > other users. Except apparmor, and I hope you will check it because I simply
> > do not know what it does ;)
> >
> >> I wonder if changes to nnp need to "flushed" during syscall entry
> >> instead of getting updated externally/asynchronously? That way it
> >> won't be out of sync with the seccomp mode/filters.
> >>
> >> Perhaps secure computing needs to check some (maybe seccomp-only)
> >> atomic flags and flip on the "real" nnp if found?
> >
> > Not sure I understand you, could you clarify?
>
> Instead of having TSYNC change the nnp bit, it can set a new flag, say:
>
> task->seccomp.flags |= SECCOMP_NEEDS_NNP;
>
> This would be set along with seccomp.mode, seccomp.filter, and
> TIF_SECCOMP. Then, during the next secure_computing() call that thread
> makes, it would check the flag:
>
> if (task->seccomp.flags & SECCOMP_NEEDS_NNP)
> task->nnp = 1;
>
> This means that nnp couldn't change in the middle of a running syscall.
Aha, so you were worried about the same thing. Not sure we need this,
but at least I understand you and...
> Hmmm. Perhaps this doesn't solve anything, though? Perhaps my proposal
> above would actually make things worse, since now we'd have a thread
> with seccomp set up, and no nnp. If it was in the middle of exec,
> we're still causing a problem.
Yes ;)
> I think we'd also need a way to either delay the seccomp changes, or
> to notice this condition during exec. Bleh.
Hmm. confused again,
> What actually happens with a multi-threaded process calls exec? I
> assume all the other threads are destroyed?
Yes. But this is the point-of-no-return, de_thread() is called after the execing
thared has already passed (say) check_unsafe_exec().
However, do_execve() takes cred_guard_mutex at the start in prepare_bprm_creds()
and drops it in install_exec_creds(), so it should solve the problem?
Oleg.
next prev parent reply other threads:[~2014-06-25 17:24 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 20:48 [PATCH v8 0/9] seccomp: add thread sync ability Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 1/9] seccomp: create internal mode-setting function Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 2/9] seccomp: split filter prep from check and apply Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 3/9] seccomp: introduce writer locking Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-27 17:27 ` Kees Cook
2014-06-27 17:27 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 4/9] sched: move no_new_privs into new atomic flags Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 14:44 ` Kees Cook
2014-06-25 14:44 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 5/9] seccomp: split mode set routines Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 14:51 ` Kees Cook
2014-06-25 14:51 ` Kees Cook
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:54 ` Kees Cook
2014-06-25 16:54 ` Kees Cook
[not found] ` <CAGXu5j+J11zJnuFR8bYKAXizAHhCx4R+uJE_QH6zC3q2udkpaQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:32 ` Oleg Nesterov
2014-06-25 17:32 ` Oleg Nesterov
[not found] ` <20140625173245.GA17695-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 18:00 ` Kees Cook
2014-06-25 18:00 ` Kees Cook
[not found] ` <CAGXu5jL17k6=GXju6x+eLU20FMwBHhnuRiHoQD1Bzj_EmpiKjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:39 ` Andy Lutomirski
2014-06-27 18:39 ` Andy Lutomirski
[not found] ` <CALCETrUPxTxseJ=sOhD9CyJPtOqCR5sL8yx7KezLmLZcFSFNMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 19:04 ` Kees Cook
2014-06-27 19:04 ` Kees Cook
[not found] ` <CAGXu5jL5rN6=2-SwHiiEVuGVain-T7Ucg2PsN7u08vQ5Rxz6Mg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:27 ` Oleg Nesterov
2014-06-27 19:27 ` Oleg Nesterov
[not found] ` <20140627192753.GA30752-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:55 ` Oleg Nesterov
2014-06-27 19:55 ` Oleg Nesterov
[not found] ` <20140627195559.GA31661-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-25 17:00 ` Oleg Nesterov
2014-06-25 17:00 ` Oleg Nesterov
2014-06-24 20:48 ` [PATCH v8 6/9] seccomp: add "seccomp" syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 7/9] ARM: add seccomp syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 8/9] MIPS: " Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 15:08 ` Kees Cook
2014-06-25 15:08 ` Kees Cook
2014-06-25 16:52 ` Oleg Nesterov
2014-06-25 16:52 ` Oleg Nesterov
[not found] ` <20140625165209.GA14720-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:24 ` Oleg Nesterov [this message]
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:57 ` Kees Cook
2014-06-25 17:57 ` Kees Cook
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:20 ` Oleg Nesterov
2014-06-25 18:20 ` Oleg Nesterov
[not found] ` <20140625182012.GA19437-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-24 20:56 ` [PATCH v8 1/1] man-pages: seccomp.2: document syscall Kees Cook
2014-06-24 20:56 ` Kees Cook
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 15:10 ` Kees Cook
2014-06-25 15:10 ` Kees Cook
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140625172410.GA17133@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=drysdale@google.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.