Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Rich Felker <dalias@libc.org>
Cc: Jann Horn <jannh@google.com>, Camille Mougey <commial@gmail.com>,
	lkml <linux-kernel@vger.kernel.org>,
	Tycho Andersen <tycho@tycho.pizza>,
	Sargun Dhillon <sargun@sargun.me>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
	Denis Efremov <efremov@linux.com>,
	Andy Lutomirski <luto@kernel.org>
Subject: Re: [seccomp] Request for a "enable on execve" mode for Seccomp filters
Date: Wed, 28 Oct 2020 15:03:14 -0700	[thread overview]
Message-ID: <202010281500.855B950FE@keescook> (raw)
In-Reply-To: <20201028164936.GC534@brightrain.aerifal.cx>

On Wed, Oct 28, 2020 at 12:49:36PM -0400, Rich Felker wrote:
> On Wed, Oct 28, 2020 at 01:42:13PM +0100, Jann Horn wrote:
> > +luto just in case he has opinions on this
> > 
> > On Wed, Oct 28, 2020 at 12:18 PM Camille Mougey <commial@gmail.com> wrote:
> > > From my understanding, there is no way to delay the activation of
> > > seccomp filters, for instance "until an _execve_ call".
> > > [...]
> > > I only see hackish ways to restrict the use of _execve_ in a
> > > non-cooperative executable. These methods seem globally bypassables
> > > and not satisfactory from a security point of view.
> > 
> > You're just focusing on execve() - I think it's important to keep in
> > mind what happens after execve() for normal, dynamically-linked
> > binaries: The next step is that the dynamic linker runs, and it will
> > poke around in the file system with access() and openat() and fstat(),
> > it will mmap() executable libraries into memory, it will mprotect()
> > some memory regions, it will set up thread-local storage (e.g. using
> > arch_prctl(); even if the process is single-threaded), and so on.
> > 
> > The earlier you install the seccomp filter, the more of these steps
> > you have to permit in the filter. And if you want the filter to take
> > effect directly after execve(), the syscalls you'll be forced to
> > permit are sufficient to cobble something together in userspace that
> > effectively does almost the same thing as execve().
> 
> I would assume you use SECCOMP_RET_USER_NOTIF to implement policy for
> controlling these operations and allowing only the ones that are valid
> during dynamic linking. This also allows you to defer application of
> the filter until after execve. So unless I'm missing some reason why
> this doesn't work, I think the requested functionality is already
> available.

Oof. Yeah, that's possible, but I view it as kind of not the point of
USER_NOTIF -- I'd rather design a workable solution for the
delayed-apply case.

-- 
Kees Cook

next prev parent reply	other threads:[~2020-10-29  1:25 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-28 11:18 [seccomp] Request for a "enable on execve" mode for Seccomp filters Camille Mougey
2020-10-28 12:42 ` Jann Horn
2020-10-28 16:49   ` Rich Felker
2020-10-28 17:34     ` Jann Horn
2020-10-28 17:52       ` Rich Felker
2020-10-28 18:25         ` Jann Horn
2020-10-28 18:35           ` Rich Felker
2020-10-28 18:39             ` Jann Horn
2020-10-28 18:50               ` Rich Felker
2020-10-28 22:03     ` Kees Cook [this message]
2020-10-28 22:00   ` Kees Cook
2020-10-28 22:47 ` Kees Cook
2020-10-28 23:59   ` Andy Lutomirski
2020-10-29  7:58   ` Sargun Dhillon
2020-10-29 13:56     ` Rich Felker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202010281500.855B950FE@keescook \
    --to=keescook@chromium.org \
    --cc=christian.brauner@ubuntu.com \
    --cc=commial@gmail.com \
    --cc=dalias@libc.org \
    --cc=efremov@linux.com \
    --cc=jannh@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=sargun@sargun.me \
    --cc=tycho@tycho.pizza \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.