From: Tycho Andersen <tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Alexei Starovoitov <ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Will Drewry <wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>,
"Serge E. Hallyn"
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Network Development
<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH v3 2/5] seccomp: add the concept of a seccomp filter FD
Date: Wed, 30 Sep 2015 12:36:32 -0600 [thread overview]
Message-ID: <20150930183632.GA23065@smitten> (raw)
In-Reply-To: <CALCETrXkG6QCx9ptyN+VWrjgoTvwZAOfa-pWhS4iCZ=fpm6YnQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Wed, Sep 30, 2015 at 11:27:34AM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen
> <tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> wrote:
> > This patch introduces the concept of a seccomp fd, with a similar interface
> > and usage to ebpf fds. Initially, one is allowed to create, install, and
> > dump these fds. Any manipulation of seccomp fds requires users to be root
> > in their own user namespace, matching the checks done for
> > SECCOMP_SET_MODE_FILTER.
> >
> > Installing a filterfd has some gotchas, though. Andy mentioned previously
> > that we should restrict installation to filter fds whose parent is already
> > in the filter tree. This doesn't quite work in the case of created seccomp
> > fds, since once you install a filter fd, you can't install any other filter
> > fd since it has no parent and there is no way to "pre-chain" filters before
> > installing them.
>
> ISTM, if we like the seccomp fd approach, we should have them be
> created with a parent already set. IOW the default should be that
> their parent is the creator's seccomp fd and, if needed, creators
> could specify a different parent.
Allowing people doing SECCOMP_FD_NEW to specify a parent fd would
work. Then we can disallow installing a seccomp fd if its parent is
not the current filter, and get rid of the whole mess with prev
locking and all that.
Tycho
WARNING: multiple messages have this Message-ID (diff)
From: Tycho Andersen <tycho.andersen@canonical.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
Alexei Starovoitov <ast@kernel.org>,
Will Drewry <wad@chromium.org>, Oleg Nesterov <oleg@redhat.com>,
Pavel Emelyanov <xemul@parallels.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Daniel Borkmann <daniel@iogearbox.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v3 2/5] seccomp: add the concept of a seccomp filter FD
Date: Wed, 30 Sep 2015 12:36:32 -0600 [thread overview]
Message-ID: <20150930183632.GA23065@smitten> (raw)
In-Reply-To: <CALCETrXkG6QCx9ptyN+VWrjgoTvwZAOfa-pWhS4iCZ=fpm6YnQ@mail.gmail.com>
On Wed, Sep 30, 2015 at 11:27:34AM -0700, Andy Lutomirski wrote:
> On Wed, Sep 30, 2015 at 11:13 AM, Tycho Andersen
> <tycho.andersen@canonical.com> wrote:
> > This patch introduces the concept of a seccomp fd, with a similar interface
> > and usage to ebpf fds. Initially, one is allowed to create, install, and
> > dump these fds. Any manipulation of seccomp fds requires users to be root
> > in their own user namespace, matching the checks done for
> > SECCOMP_SET_MODE_FILTER.
> >
> > Installing a filterfd has some gotchas, though. Andy mentioned previously
> > that we should restrict installation to filter fds whose parent is already
> > in the filter tree. This doesn't quite work in the case of created seccomp
> > fds, since once you install a filter fd, you can't install any other filter
> > fd since it has no parent and there is no way to "pre-chain" filters before
> > installing them.
>
> ISTM, if we like the seccomp fd approach, we should have them be
> created with a parent already set. IOW the default should be that
> their parent is the creator's seccomp fd and, if needed, creators
> could specify a different parent.
Allowing people doing SECCOMP_FD_NEW to specify a parent fd would
work. Then we can disallow installing a seccomp fd if its parent is
not the current filter, and get rid of the whole mess with prev
locking and all that.
Tycho
next prev parent reply other threads:[~2015-09-30 18:36 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-30 18:13 checkpoint/restore of seccomp filters v3 Tycho Andersen
2015-09-30 18:13 ` [PATCH v3 1/5] seccomp: save the original filter Tycho Andersen
2015-09-30 18:13 ` [PATCH v3 2/5] seccomp: add the concept of a seccomp filter FD Tycho Andersen
[not found] ` <1443636820-17083-3-git-send-email-tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2015-09-30 18:27 ` Andy Lutomirski
2015-09-30 18:27 ` Andy Lutomirski
[not found] ` <CALCETrXkG6QCx9ptyN+VWrjgoTvwZAOfa-pWhS4iCZ=fpm6YnQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-30 18:36 ` Tycho Andersen [this message]
2015-09-30 18:36 ` Tycho Andersen
2015-09-30 18:47 ` Andy Lutomirski
2015-09-30 18:29 ` kbuild test robot
2015-09-30 18:29 ` kbuild test robot
2015-09-30 18:29 ` kbuild test robot
2015-09-30 18:13 ` [PATCH v3 3/5] seccomp: add a ptrace command to get seccomp filter fds Tycho Andersen
2015-09-30 18:13 ` [PATCH v3 4/5] kcmp: add KCMP_FILE_PRIVATE_DATA Tycho Andersen
[not found] ` <1443636820-17083-5-git-send-email-tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2015-09-30 18:25 ` Andy Lutomirski
2015-09-30 18:25 ` Andy Lutomirski
2015-09-30 18:41 ` Tycho Andersen
2015-09-30 18:47 ` Andy Lutomirski
2015-09-30 18:47 ` Andy Lutomirski
2015-09-30 18:55 ` Tycho Andersen
2015-09-30 18:56 ` Andy Lutomirski
2015-09-30 18:56 ` Andy Lutomirski
2015-09-30 21:39 ` Tycho Andersen
2015-09-30 21:48 ` Andy Lutomirski
2015-09-30 22:10 ` Tycho Andersen
[not found] ` <CALCETrW9-bpUd+quFF7fBjbBLS84VDT4dmBS=-cVe6+9S-DenA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-01 16:45 ` Tycho Andersen
2015-10-01 16:45 ` Tycho Andersen
2015-09-30 18:13 ` [PATCH v3 5/5] bpf: save the program the user actually supplied Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150930183632.GA23065@smitten \
--to=tycho.andersen-z7wlfzj8ewms+fvcfc7uqw@public.gmane.org \
--cc=ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.