From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Alexei Starovoitov <ast@plumgrid.com>,
Andrew Morton <akpm@linux-foundation.org>,
Daniel Borkmann <dborkman@redhat.com>,
Will Drewry <wad@chromium.org>, Julien Tinnes <jln@chromium.org>,
David Drysdale <drysdale@google.com>,
Linux API <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
linux-mips@linux-mips.org,
linux-arch <linux-arch@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v8 5/9] seccomp: split mode set routines
Date: Wed, 25 Jun 2014 19:51:36 +0200 [thread overview]
Message-ID: <20140625175136.GA18185@redhat.com> (raw)
In-Reply-To: <CALCETrUc65H+fn6dtMdYnB_xR39wcmgDdTbdR3fFRjyrndJhgA@mail.gmail.com>
On 06/25, Andy Lutomirski wrote:
>
> On Wed, Jun 25, 2014 at 10:32 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> > On 06/25, Andy Lutomirski wrote:
> >>
> >> Write the filter, then smp_mb (or maybe a weaker barrier is okay),
> >> then set the bit.
> >
> > Yes, exactly, this is what I meant. Plas rmb() in __secure_computing().
> >
> > But I still can't understand the rest of your discussion about the
> > ordering we need ;)
>
> Let me try again from scratch.
>
> Currently there are three relevant variables: TIF_SECCOMP,
> seccomp.mode, and seccomp.filter. __secure_computing needs
> seccomp.mode and seccomp.filter to be in sync, and it wants (but
> doesn't really need) TIF_SECCOMP to be in sync as well.
>
> My suggestion is to rearrange it a bit. Move mode into seccomp.filter
> (so that filter == NULL implies no seccomp) and don't check
> TIF_SECCOMP in secure_computing. Then turning on seccomp is entirely
> atomic except for the fact that the seccomp hooks won't be called if
> filter != NULL but !TIF_SECCOMP. This removes all ordering
> requirements.
Ah, got it, thanks. Perhaps I missed somehing, but to me this looks like
unnecessary complication at first glance.
We alredy have TIF_SECCOMP, we need it anyway, and we should only care
about the case when this bit is actually set, so that we can race with
the 1st call of __secure_computing().
Otherwise we are fine: we can miss the new filter anyway, ->mode can't
be changed it is already nonzero.
> Alternatively, __secure_computing could still BUG_ON(!seccomp.filter).
> In that case, filter needs to be set before TIF_SECCOMP is set, but
> that's straightforward.
Yep. And this is how seccomp_assign_mode() already works? It is called
after we change ->filter chain, it changes ->mode before set(TIF_SECCOMP)
just it lacks a barrier.
Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v8 5/9] seccomp: split mode set routines
Date: Wed, 25 Jun 2014 19:51:36 +0200 [thread overview]
Message-ID: <20140625175136.GA18185@redhat.com> (raw)
In-Reply-To: <CALCETrUc65H+fn6dtMdYnB_xR39wcmgDdTbdR3fFRjyrndJhgA@mail.gmail.com>
On 06/25, Andy Lutomirski wrote:
>
> On Wed, Jun 25, 2014 at 10:32 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> > On 06/25, Andy Lutomirski wrote:
> >>
> >> Write the filter, then smp_mb (or maybe a weaker barrier is okay),
> >> then set the bit.
> >
> > Yes, exactly, this is what I meant. Plas rmb() in __secure_computing().
> >
> > But I still can't understand the rest of your discussion about the
> > ordering we need ;)
>
> Let me try again from scratch.
>
> Currently there are three relevant variables: TIF_SECCOMP,
> seccomp.mode, and seccomp.filter. __secure_computing needs
> seccomp.mode and seccomp.filter to be in sync, and it wants (but
> doesn't really need) TIF_SECCOMP to be in sync as well.
>
> My suggestion is to rearrange it a bit. Move mode into seccomp.filter
> (so that filter == NULL implies no seccomp) and don't check
> TIF_SECCOMP in secure_computing. Then turning on seccomp is entirely
> atomic except for the fact that the seccomp hooks won't be called if
> filter != NULL but !TIF_SECCOMP. This removes all ordering
> requirements.
Ah, got it, thanks. Perhaps I missed somehing, but to me this looks like
unnecessary complication at first glance.
We alredy have TIF_SECCOMP, we need it anyway, and we should only care
about the case when this bit is actually set, so that we can race with
the 1st call of __secure_computing().
Otherwise we are fine: we can miss the new filter anyway, ->mode can't
be changed it is already nonzero.
> Alternatively, __secure_computing could still BUG_ON(!seccomp.filter).
> In that case, filter needs to be set before TIF_SECCOMP is set, but
> that's straightforward.
Yep. And this is how seccomp_assign_mode() already works? It is called
after we change ->filter chain, it changes ->mode before set(TIF_SECCOMP)
just it lacks a barrier.
Oleg.
next prev parent reply other threads:[~2014-06-25 17:51 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 20:48 [PATCH v8 0/9] seccomp: add thread sync ability Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 1/9] seccomp: create internal mode-setting function Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 2/9] seccomp: split filter prep from check and apply Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 3/9] seccomp: introduce writer locking Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-27 17:27 ` Kees Cook
2014-06-27 17:27 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 4/9] sched: move no_new_privs into new atomic flags Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 14:44 ` Kees Cook
2014-06-25 14:44 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 5/9] seccomp: split mode set routines Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 14:51 ` Kees Cook
2014-06-25 14:51 ` Kees Cook
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:54 ` Kees Cook
2014-06-25 16:54 ` Kees Cook
[not found] ` <CAGXu5j+J11zJnuFR8bYKAXizAHhCx4R+uJE_QH6zC3q2udkpaQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:32 ` Oleg Nesterov
2014-06-25 17:32 ` Oleg Nesterov
[not found] ` <20140625173245.GA17695-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:51 ` Oleg Nesterov [this message]
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 18:00 ` Kees Cook
2014-06-25 18:00 ` Kees Cook
[not found] ` <CAGXu5jL17k6=GXju6x+eLU20FMwBHhnuRiHoQD1Bzj_EmpiKjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:39 ` Andy Lutomirski
2014-06-27 18:39 ` Andy Lutomirski
[not found] ` <CALCETrUPxTxseJ=sOhD9CyJPtOqCR5sL8yx7KezLmLZcFSFNMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 19:04 ` Kees Cook
2014-06-27 19:04 ` Kees Cook
[not found] ` <CAGXu5jL5rN6=2-SwHiiEVuGVain-T7Ucg2PsN7u08vQ5Rxz6Mg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:27 ` Oleg Nesterov
2014-06-27 19:27 ` Oleg Nesterov
[not found] ` <20140627192753.GA30752-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:55 ` Oleg Nesterov
2014-06-27 19:55 ` Oleg Nesterov
[not found] ` <20140627195559.GA31661-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-25 17:00 ` Oleg Nesterov
2014-06-25 17:00 ` Oleg Nesterov
2014-06-24 20:48 ` [PATCH v8 6/9] seccomp: add "seccomp" syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 7/9] ARM: add seccomp syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 8/9] MIPS: " Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 15:08 ` Kees Cook
2014-06-25 15:08 ` Kees Cook
2014-06-25 16:52 ` Oleg Nesterov
2014-06-25 16:52 ` Oleg Nesterov
[not found] ` <20140625165209.GA14720-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:57 ` Kees Cook
2014-06-25 17:57 ` Kees Cook
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:20 ` Oleg Nesterov
2014-06-25 18:20 ` Oleg Nesterov
[not found] ` <20140625182012.GA19437-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-24 20:56 ` [PATCH v8 1/1] man-pages: seccomp.2: document syscall Kees Cook
2014-06-24 20:56 ` Kees Cook
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 15:10 ` Kees Cook
2014-06-25 15:10 ` Kees Cook
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140625175136.GA18185@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=drysdale@google.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.