From: Daniel Borkmann <daniel@iogearbox.net>
To: Kees Cook <keescook@chromium.org>,
Tycho Andersen <tycho.andersen@canonical.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
Alexei Starovoitov <ast@kernel.org>,
Will Drewry <wad@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Pavel Emelyanov <xemul@parallels.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v8] seccomp, ptrace: add support for dumping seccomp filters
Date: Wed, 21 Oct 2015 22:18:20 +0200 [thread overview]
Message-ID: <5627F30C.5020904@iogearbox.net> (raw)
In-Reply-To: <CAGXu5jL-LMC6SLazLE0UPcffr9cD5Z0ME4ddNjJmBKTx=dXz_A@mail.gmail.com>
On 10/21/2015 10:12 PM, Kees Cook wrote:
> On Wed, Oct 21, 2015 at 12:15 PM, Tycho Andersen
> <tycho.andersen@canonical.com> wrote:
>> Hi Oleg,
>>
>> On Wed, Oct 21, 2015 at 08:51:46PM +0200, Oleg Nesterov wrote:
>>> On 10/20, Tycho Andersen wrote:
>>>>
>>>> Hi Kees, Oleg,
>>>>
>>>> On Tue, Oct 20, 2015 at 10:20:24PM +0200, Oleg Nesterov wrote:
>>>>>
>>>>> No, you can't do copy_to_user() from atomic context. You need to pin this
>>>>> filter, drop the lock/irq, then copy_to_user().
>>>>
>>>> Attached is a patch which addresses this.
>>>
>>> Looks good to me, feel free to add my reviewed-by.
>>>
>>>
>>> a couple of questions, I am just curious...
>>>
>>>> +long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
>>>> + void __user *data)
>>>> +{
>>>> + struct seccomp_filter *filter;
>>>> + struct sock_fprog_kern *fprog;
>>>> + long ret;
>>>> + unsigned long count = 0;
>>>> +
>>>> + if (!capable(CAP_SYS_ADMIN) ||
>>>> + current->seccomp.mode != SECCOMP_MODE_DISABLED) {
>>>> + return -EACCES;
>>>> + }
>>>> +
>>>> + spin_lock_irq(&task->sighand->siglock);
>>>> + if (task->seccomp.mode != SECCOMP_MODE_FILTER) {
>>>> + ret = -EINVAL;
>>>> + goto out;
>>>> + }
>>>> +
>>>> + filter = task->seccomp.filter;
>>>> + while (filter) {
>>>> + filter = filter->prev;
>>>> + count++;
>>>> + }
>>>> +
>>>> + if (filter_off >= count) {
>>>> + ret = -ENOENT;
>>>> + goto out;
>>>> + }
>>>> + count -= filter_off;
>>>> +
>>>> + filter = task->seccomp.filter;
>>>> + while (filter && count > 1) {
>>>> + filter = filter->prev;
>>>> + count--;
>>>> + }
>>>> +
>>>> + if (WARN_ON(count != 1)) {
>>>> + /* The filter tree shouldn't shrink while we're using it. */
>>>> + ret = -ENOENT;
>>>
>>> Yes. but this looks a bit confusing. If we want this WARN_ON() check
>>> because we are paranoid, then we should do
>>>
>>> WARN_ON(count != 1 || filter);
>>
>> I guess you mean !filter here? We want filter to be non-null, because
>> we use it later.
>>
>>> And "while we're using it" look misleading, we rely on ->siglock.
>>>
>>> Plus if we could be shrinked the additional check can't help anyway,
>>> we can used the free filter. So I don't really understand this check
>>> and "filter != NULL" in the previous "while (filter && count > 1)".
>>> Nevermind...
>>
>> Just paranoia. You're right that we could get rid of WARN_ON and the
>> null check. I can send an updated patch to drop these bits if
>> necessary. Kees?
>
> I like being really paranoid when dealing with the filters. Let's keep
> the WARN_ON (with the "|| !filter" added) but maybe wrap it in
> "unlikely"?
Btw, the conditions inside the WARN_ON() macro would already resolve
to unlikely().
Best,
Daniel
next prev parent reply other threads:[~2015-10-21 20:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-20 19:50 v8 of seccomp filter c/r Tycho Andersen
[not found] ` <1445370612-18843-1-git-send-email-tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2015-10-20 19:50 ` [PATCH v8] seccomp, ptrace: add support for dumping seccomp filters Tycho Andersen
2015-10-20 19:50 ` Tycho Andersen
[not found] ` <1445370612-18843-2-git-send-email-tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2015-10-20 20:20 ` Oleg Nesterov
2015-10-20 20:20 ` Oleg Nesterov
2015-10-20 20:26 ` Kees Cook
2015-10-20 20:37 ` Tycho Andersen
2015-10-20 22:08 ` Tycho Andersen
2015-10-21 18:51 ` Oleg Nesterov
2015-10-21 18:51 ` Oleg Nesterov
2015-10-21 19:15 ` Tycho Andersen
2015-10-21 20:12 ` Kees Cook
2015-10-21 20:12 ` Kees Cook
2015-10-21 20:18 ` Daniel Borkmann [this message]
2015-10-21 20:37 ` Tycho Andersen
2015-10-21 21:07 ` Oleg Nesterov
2015-10-21 21:07 ` Oleg Nesterov
2015-10-21 21:20 ` Kees Cook
2015-10-21 21:33 ` Tycho Andersen
2015-10-25 15:39 ` Oleg Nesterov
2015-10-25 15:39 ` Oleg Nesterov
2015-10-26 6:46 ` Kees Cook
[not found] ` <CAGXu5jLH++bDe-yf=jVxSxqO0FFLtpGnme9TFp2s-uPSZ4jbSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-26 7:07 ` Kees Cook
2015-10-26 7:07 ` Kees Cook
2015-10-27 0:04 ` Tycho Andersen
2015-10-27 0:17 ` Daniel Borkmann
2015-10-27 0:17 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5627F30C.5020904@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tycho.andersen@canonical.com \
--cc=wad@chromium.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.