From: "H. Peter Anvin" <hpa@zytor.com>
To: Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com,
netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de,
davem@davemloft.net, mingo@redhat.com, oleg@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
keescook@chromium.org
Subject: [kernel-hardening] Re: [PATCH v8 3/8] seccomp: add system call filtering using BPF
Date: Thu, 16 Feb 2012 13:17:04 -0800 [thread overview]
Message-ID: <4F3D7250.6040504@zytor.com> (raw)
In-Reply-To: <CABqD9hb3WxKxLZ2GuUrbDM--koW+a3ser5TU8y6+e0sAhOT9dw@mail.gmail.com>
On 02/16/2012 12:25 PM, Will Drewry wrote:
>
> I agree :) BPF being a 32-bit creature introduced some edge cases. I
> has started with a
> union { u32 args32[6]; u64 args64[6]; }
>
> This was somewhat derailed by CONFIG_COMPAT behavior where
> syscall_get_arguments always writes to argument of register width --
> not bad, just irritating (since a copy isn't strictly necessary nor
> actually done in the patch). Also, Indan pointed out that while BPF
> programs expect constants in the machine-local endian layout, any
> consumers would need to change how they accessed the arguments across
> big/little endian machines since a load of the low-order bits would
> vary.
>
> In a second pass, I attempted to resolve this like aio_abi.h:
> union {
> struct {
> u32 ENDIAN_SWAP(lo32, hi32);
> };
> u64 arg64;
> } args[6];
> It wasn't clear that this actually made matters better (though it did
> mean syscall_get_arguments() could write directly to arg64). Usings
> offsetof() in the user program would be fine, but any offsets set
> another way would be invalid. At that point, I moved to Indan's
> proposal to stabilize low order and high order offsets -- what is in
> the patch series. Now a BPF program can reliably index into the low
> bits of an argument and into the high bits without endianness changing
> the filter program structure.
>
> I don't feel strongly about any given data layout, and this one seems
> to balance the 32-bit-ness of BPF and the impact that has on
> endianness. I'm happy to hear alternatives that might be more
> aesthetically pleasing :)
>
I would have to say I think native endian is probably the sane thing
still, out of several bad alternatives. Certainly splitting the high
and low halves of arguments is insane.
The other thing that you really need in addition to system call number
is ABI identifier, since a syscall number may mean different things for
different entry points. For example, on x86-64 system call number 4 is
write() if called via int $0x80 but stat() if called via syscall64.
This is a local property of the system call, not a global per process.
-hpa
WARNING: multiple messages have this Message-ID (diff)
From: "H. Peter Anvin" <hpa@zytor.com>
To: Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com,
netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de,
davem@davemloft.net, mingo@redhat.com, oleg@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
keescook@chromium.org
Subject: Re: [PATCH v8 3/8] seccomp: add system call filtering using BPF
Date: Thu, 16 Feb 2012 13:17:04 -0800 [thread overview]
Message-ID: <4F3D7250.6040504@zytor.com> (raw)
In-Reply-To: <CABqD9hb3WxKxLZ2GuUrbDM--koW+a3ser5TU8y6+e0sAhOT9dw@mail.gmail.com>
On 02/16/2012 12:25 PM, Will Drewry wrote:
>
> I agree :) BPF being a 32-bit creature introduced some edge cases. I
> has started with a
> union { u32 args32[6]; u64 args64[6]; }
>
> This was somewhat derailed by CONFIG_COMPAT behavior where
> syscall_get_arguments always writes to argument of register width --
> not bad, just irritating (since a copy isn't strictly necessary nor
> actually done in the patch). Also, Indan pointed out that while BPF
> programs expect constants in the machine-local endian layout, any
> consumers would need to change how they accessed the arguments across
> big/little endian machines since a load of the low-order bits would
> vary.
>
> In a second pass, I attempted to resolve this like aio_abi.h:
> union {
> struct {
> u32 ENDIAN_SWAP(lo32, hi32);
> };
> u64 arg64;
> } args[6];
> It wasn't clear that this actually made matters better (though it did
> mean syscall_get_arguments() could write directly to arg64). Usings
> offsetof() in the user program would be fine, but any offsets set
> another way would be invalid. At that point, I moved to Indan's
> proposal to stabilize low order and high order offsets -- what is in
> the patch series. Now a BPF program can reliably index into the low
> bits of an argument and into the high bits without endianness changing
> the filter program structure.
>
> I don't feel strongly about any given data layout, and this one seems
> to balance the 32-bit-ness of BPF and the impact that has on
> endianness. I'm happy to hear alternatives that might be more
> aesthetically pleasing :)
>
I would have to say I think native endian is probably the sane thing
still, out of several bad alternatives. Certainly splitting the high
and low halves of arguments is insane.
The other thing that you really need in addition to system call number
is ABI identifier, since a syscall number may mean different things for
different entry points. For example, on x86-64 system call number 4 is
write() if called via int $0x80 but stat() if called via syscall64.
This is a local property of the system call, not a global per process.
-hpa
next prev parent reply other threads:[~2012-02-16 21:17 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-16 20:02 [PATCH v8 1/8] sk_run_filter: add support for custom load_pointer Will Drewry
2012-02-16 20:02 ` [PATCH v8 2/8] seccomp: kill the seccomp_t typedef Will Drewry
2012-02-20 2:55 ` James Morris
2012-02-16 20:02 ` [PATCH v8 3/8] seccomp: add system call filtering using BPF Will Drewry
2012-02-16 20:06 ` H. Peter Anvin
2012-02-16 20:25 ` [kernel-hardening] " Will Drewry
2012-02-16 20:25 ` Will Drewry
2012-02-16 21:17 ` H. Peter Anvin [this message]
2012-02-16 21:17 ` H. Peter Anvin
2012-02-16 21:28 ` [kernel-hardening] " Markus Gutschke
2012-02-16 21:28 ` Markus Gutschke
2012-02-16 21:34 ` [kernel-hardening] " H. Peter Anvin
2012-02-16 21:34 ` H. Peter Anvin
2012-02-16 21:51 ` [kernel-hardening] " Will Drewry
2012-02-16 21:51 ` Will Drewry
2012-02-16 22:06 ` [kernel-hardening] " H. Peter Anvin
2012-02-16 22:06 ` H. Peter Anvin
2012-02-16 23:00 ` [kernel-hardening] " Will Drewry
2012-02-16 23:00 ` Will Drewry
2012-02-17 0:23 ` [kernel-hardening] " Andrew Lutomirski
2012-02-17 0:23 ` Andrew Lutomirski
2012-02-17 0:43 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 0:43 ` H. Peter Anvin
2012-02-17 0:50 ` [kernel-hardening] " Eric Paris
2012-02-17 0:50 ` Eric Paris
2012-02-17 2:24 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 2:24 ` H. Peter Anvin
2012-02-17 3:53 ` [kernel-hardening] " Will Drewry
2012-02-17 3:53 ` Will Drewry
2012-02-17 4:12 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 4:12 ` H. Peter Anvin
2012-02-17 4:26 ` [kernel-hardening] " Will Drewry
2012-02-17 4:26 ` Will Drewry
2012-02-17 4:32 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 4:32 ` H. Peter Anvin
2012-02-17 4:40 ` [kernel-hardening] " Will Drewry
2012-02-17 4:40 ` Will Drewry
2012-02-16 21:31 ` [kernel-hardening] " Will Drewry
2012-02-16 21:31 ` Will Drewry
2012-02-17 0:48 ` [kernel-hardening] " Indan Zupancic
2012-02-17 0:48 ` Indan Zupancic
2012-02-17 0:51 ` [kernel-hardening] " Andrew Lutomirski
2012-02-17 0:51 ` Andrew Lutomirski
2012-02-17 1:10 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 1:10 ` H. Peter Anvin
2012-02-17 1:25 ` [kernel-hardening] " Indan Zupancic
2012-02-17 1:25 ` Indan Zupancic
2012-02-17 1:33 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 1:33 ` H. Peter Anvin
2012-02-17 2:00 ` [kernel-hardening] " Indan Zupancic
2012-02-17 2:00 ` Indan Zupancic
2012-02-17 2:16 ` [kernel-hardening] " Andrew Lutomirski
2012-02-17 2:16 ` Andrew Lutomirski
2012-02-17 2:22 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 2:22 ` H. Peter Anvin
2012-02-17 3:27 ` [kernel-hardening] " Indan Zupancic
2012-02-17 3:27 ` Indan Zupancic
2012-02-17 4:09 ` [kernel-hardening] " H. Peter Anvin
2012-02-17 4:09 ` H. Peter Anvin
2012-02-17 4:51 ` [kernel-hardening] " Indan Zupancic
2012-02-17 4:51 ` Indan Zupancic
2012-02-17 2:44 ` [kernel-hardening] " Indan Zupancic
2012-02-17 2:44 ` Indan Zupancic
2012-02-17 2:44 ` Indan Zupancic
2012-02-17 2:44 ` Indan Zupancic
2012-02-17 3:38 ` [kernel-hardening] " Will Drewry
2012-02-16 20:02 ` [PATCH v8 4/8] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-02-16 20:02 ` [PATCH v8 5/8] seccomp: Add SECCOMP_RET_TRAP Will Drewry
[not found] ` <CAE6n16mCrJC=Sre+PT1H_VfSjW0MGyi0xtEcdcRvGMvvwXWzmA@mail.gmail.com>
2012-02-16 20:28 ` Markus Gutschke
2012-02-16 21:23 ` H. Peter Anvin
2012-02-16 20:42 ` [kernel-hardening] " Will Drewry
2012-02-16 20:42 ` Will Drewry
2012-02-16 21:11 ` [kernel-hardening] [PATCH v9 " Will Drewry
2012-02-16 21:11 ` Will Drewry
2012-02-16 21:11 ` [kernel-hardening] [PATCH v9 8/8] Documentation: prctl/seccomp_filter Will Drewry
2012-02-16 21:11 ` Will Drewry
2012-02-16 21:28 ` [kernel-hardening] Re: [PATCH v8 5/8] seccomp: Add SECCOMP_RET_TRAP H. Peter Anvin
2012-02-16 21:28 ` H. Peter Anvin
2012-02-16 21:33 ` [kernel-hardening] " Will Drewry
2012-02-16 21:33 ` Will Drewry
2012-02-16 20:02 ` [PATCH v8 6/8] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-02-17 5:08 ` Indan Zupancic
2012-02-17 5:08 ` Indan Zupancic
2012-02-17 5:08 ` Indan Zupancic
2012-02-17 16:23 ` Will Drewry
2012-02-17 22:55 ` Indan Zupancic
2012-02-21 17:31 ` Will Drewry
2012-02-16 20:02 ` [PATCH v8 7/8] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-02-16 20:02 ` [PATCH v8 8/8] Documentation: prctl/seccomp_filter Will Drewry
2012-02-16 20:08 ` [kernel-hardening] Re: [PATCH v8 1/8] sk_run_filter: add support for custom load_pointer Will Drewry
2012-02-16 20:08 ` Will Drewry
2012-02-17 1:54 ` Joe Perches
2012-02-17 2:22 ` Will Drewry
2012-02-17 3:04 ` Indan Zupancic
2012-02-17 3:04 ` Indan Zupancic
2012-02-17 3:04 ` Indan Zupancic
2012-02-17 4:13 ` Will Drewry
2012-02-17 5:05 ` Indan Zupancic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F3D7250.6040504@zytor.com \
--to=hpa@zytor.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=indan@nul.nu \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.