From: Neill Kapron <nkapron@google.com>
To: Maxwell Bland <mbland@motorola.com>
Cc: "linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
"Andrew Wheeler" <awheeler@motorola.com>,
"Sammy BS2 Que | 阙斌生" <quebs2@motorola.com>,
"Todd Kjos" <tkjos@google.com>,
"Viktor Martensson" <vmartensson@google.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"keescook@chromium.org" <keescook@chromium.org>,
"Will Drewry" <wad@chromium.org>,
"Andy Gross" <agross@kernel.org>,
"Bjorn Andersson" <andersson@kernel.org>,
"Konrad Dybcio" <konrad.dybcio@somainline.org>,
kernel-team <kernel-team@android.com>,
maze@google.com, adelva@google.com, jeffv@google.com
Subject: Re: [RFC] Proposal: Static SECCOMP Policies
Date: Thu, 12 Sep 2024 20:57:14 +0000 [thread overview]
Message-ID: <ZuNVqvVgXLjNXS5Y@google.com> (raw)
In-Reply-To: <SEZPR03MB6786D45BE387F2B378E71A84B4642@SEZPR03MB6786.apcprd03.prod.outlook.com>
On Thu, Sep 12, 2024 at 04:02:53PM +0000, Maxwell Bland wrote:
> (Resending as plaintext for msm-kernel mailing list.
> Original message was intended for android kernel team
> though msm-kernel should be aware.)
>
> Hi Kernel Team,
>
> + Kees, Andy, and Will since their input may be valuable.
>
> It has been a while! (~9 months to be exact). This January, I sent out a small
> message on BPF code loading ("unprivileged BPF considered harmful" or something
> like that). In it, I noted new BPF programs are compiled all the time and
> thrown into the kernel. At the time, I did not know these programs were just
> compiled seccomp filter policies, loaded in as new BPF programs continuously
> through the libminijail interface as well as direct syscall. As of two days
> ago, I now know this (and now you do too, if not already).
>
> OK, yes, syscall filtering is very important, but this is creating a catch-22
> issue. For one, see step (4) under "Exploitation overview" for
> https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt.
> Second, this minor lack of caching is adding load time to more than 90
> binaries/services on the standard QCOM baseline—I'll admit, it is probably
> negligible in the grand scheme of things (a quick approximation puts the data
> operated on around 0.1188 MB). But most importantly, third, without some degree
> of provenance, I have no way of telling if someone has injected malicious code
> into the kernel, and unfortunately even knowing the correct bytes is still
> "iffy", as in order to prevent JIT spray attacks, each of these filters is
> offset by some random number of uint32_t's, making every 4-byte shift of the
> filter a "valid" codepage to be loaded at runtime.
>
> You might be thinking, "but wait, bionic's libc only defines a couple of
> restricted policies, primary and secondary for system and user apps
> respectively." I know! For the most part, apps fall into either what I presume
> is the default app/system policies, but there are lots of QCOM binaries and
> other magic programs (dolby dax) that are sending up these programs as well.
> I'm seeing more than 20 different programs for around a minute's worth of
> runtime. One example is attached at the end.
>
> So, the proposal: a "CONFIG_SECCOMMP_STATIC_POLICY" for seccomp. This
> would change the Android kernel's generic SYS_seccomp call, which takes in a
> filter with an array of BPF instructions, to instead reference an ID which
> corresponds to a fixed file on /sys/bpf/seccomp or something like that. The
> sandboxing behavior of these apps should be known at compile-time, even if
> there are multiple "permission set types" that may need to be dispatched. User
> apps should always have a single, fixed policy. This way it is possible to say
> for every code page loaded into the kernel where it came from and what it
> should look like.
>
> Unfortunately, I do not know Motorola has enough "weight" to convince QCOM to
> do the right foundational thing here, or to "define" the seccomp APIs for
> Android, so it would be good to have Google's buy in, know if there are plans
> to fix this issue, or some discussion of how to best fix the problem? If
> anything, a contact at QCOM that might be able to actually hunt down and
> document valid bytes for these policies?
>
> The end goal is simple: when we see a code page is allocated in the kernel, we
> can be sure that (1) it isn't malicious and (2) has not been modified in
> transit. I'm fine putting code where my mouth is, but right now that code
> would involve having to fingerprint the signatures loaded by Qualcomm
> components every time a new one is released, or pinging Google with a huge
> patch changing how seccomp works with no idea of what requirements QCOM may
> have on seccomp policy generation.
>
> Thoughts? Is this doable, and if not, why? I'd also love help with the code and
> adapting existing minijail code to use a new, more integrity-preserving
> interface. If I am mistaken and it is possible to grab out valid BPF policy
> code at compile time, please let me know how!
>
> Regards,
> Maxwell Bland
>
> Standard filter, (from, for example, com.google.android.gms)
> "ac00000000000000ac77000000000000bf160000000000006160040000000000b4020000b70000c01d20020000000000b4000000000000009500000000000000616000000000000055000200cb000000b40000000000ff7f95000000000000005500020019000000b40000000000ff7f950000000000000055000200ce000000b40000000000ff7f950000000000000055000200c6000000b40000000000ff7f95000000000000005500020042000000b40000000000ff7f950000000000000055000100de00000005007b000000000055000200d7000000b40000000000ff7f950000000000000055000200d8000000b40000000000ff7f950000000000000055000100e200000005008f000000000055000200a7000000b40000000000ff7f95000000000000005500020038000000b40000000000ff7f95000000000000005500020062000000b40000000000ff7f95000000000000005500020039000000b40000000000ff7f9500000000000000550002003f000000b40000000000ff7f95000000000000005500020040000000b40000000000ff7f95000000000000005500020050000000b40000000000ff7f9500000000000000550002004e000000b40000000000ff7f9500000000000000550002002c000000b40000000000ff7f95000000000000005500020043000000b40000000000ff7f9500000000000000550002001d000000b40000000000ff7f95000000000000005500020030000000b40000000000ff7f95000000000000005500020071000000b40000000000ff7f950000000000000055000200ae000000b40000000000ff7f950000000000000055000200a3000000b40000000000ff7f95000000000000005500020086000000b40000000000ff7f95000000000000005500020042000000b40000000000ff7f950000000000000055000200e9000000b40000000000ff7f9500000000000000550002003e000000b40000000000ff7f95000000000000005500020087000000b40000000000ff7f95000000000000005500020019000000b40000000000ff7f9500000000000000550002005c000000b40000000000ff7f95000000000000005500020016010000b40000000000ff7f950000000000000055000200dc000000b40000000000ff7f95000000000000005500020060000000b40000000000ff7f950000000000000055000200dd000000b40000000000ff7f95000000000000005500020078000000b40000000000ff7f9500000000000000550002005e000000b40000000000ff7f9500000000000000550002008b000000b40000000000ff7f95000000000000005500020080000000b40000000000ff7f950000000000000055000200cb000000b40000000000ff7f950000000000000055000100c600000005004c0000000000550002005d000000b40000000000ff7f950000000000000055000200ac000000b40000000000ff7f95000000000000005500020084000000b40000000000ff7f9500000000000000550002008c000000b40000000000ff7f9500000000000000550002003d000000b40000000000ff7f95000000000000005500020017000000b40000000000ff7f9500000000000000b400000000000300950000000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100040000000500010000000000050001000000000005000e000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100020000000500010000000000050001000000000005000300000000000500000000000000b40000000000030095000000000000000500000000000000b40000000000ff7f950000000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100040000000500010000000000050001000000000005000e000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100020000000500010000000000050001000000000005000300000000000500000000000000b40000000000030095000000000000000500000000000000b40000000000ff7f950000000000000005000000000000006160100000000000630afcff000000006160140000000000630af8ff00000000550002000000000061a0fcff000000001500010001000000050001000000000005000300000000000500000000000000b40000000000030095000000000000000500000000000000b40000000000ff7f9500000000000000",
> Unknown filter (from QCOM's /vendor/bin/qesdk-secmanager)
> "ac00000000000000ac77000000000000bf160000000000006160040000000000b4020000b70000c01d20020000000000b4000000000000009500000000000000616000000000000055000200cb000000b40000000000ff7f95000000000000005500020019000000b40000000000ff7f950000000000000055000200ce000000b40000000000ff7f950000000000000055000200c6000000b40000000000ff7f95000000000000005500020042000000b40000000000ff7f950000000000000055000100de00000005007e000000000055000100e2000000050098000000000055000200d7000000b40000000000ff7f950000000000000055000200a7000000b40000000000ff7f95000000000000005500020062000000b40000000000ff7f9500000000000000550002001d000000b40000000000ff7f95000000000000005500020038000000b40000000000ff7f9500000000000000550002003f000000b40000000000ff7f95000000000000005500020039000000b40000000000ff7f95000000000000005500020050000000b40000000000ff7f9500000000000000550002004e000000b40000000000ff7f9500000000000000550002004f000000b40000000000ff7f950000000000000055000200d8000000b40000000000ff7f95000000000000005500020043000000b40000000000ff7f9500000000000000550002002c000000b40000000000ff7f95000000000000005500020087000000b40000000000ff7f95000000000000005500020086000000b40000000000ff7f95000000000000005500020030000000b40000000000ff7f950000000000000055000200ae000000b40000000000ff7f95000000000000005500020016010000b40000000000ff7f95000000000000005500020019000000b40000000000ff7f95000000000000005500020042000000b40000000000ff7f950000000000000055000200dc000000b40000000000ff7f9500000000000000550002005e000000b40000000000ff7f9500000000000000550002007b000000b40000000000ff7f9500000000000000550002005d000000b40000000000ff7f950000000000000055000200ac000000b40000000000ff7f95000000000000005500020084000000b40000000000ff7f950000000000000055000200a3000000b40000000000ff7f95000000000000005500020080000000b40000000000ff7f95000000000000005500020078000000b40000000000ff7f950000000000000055000200dd000000b40000000000ff7f950000000000000055000100c600000005005800000000005500020060000000b40000000000ff7f9500000000000000550002008b000000b40000000000ff7f950000000000000055000200cb000000b40000000000ff7f95000000000000005500020071000000b40000000000ff7f95000000000000005500020040000000b40000000000ff7f9500000000000000550002003b000000b40000000000ff7f950000000000000055000200e9000000b40000000000ff7f950000000000000055000200b2000000b40000000000ff7f9500000000000000550002008c000000b40000000000ff7f950000000000000055000200d8000000b40000000000ff7f9500000000000000b400000000000300950000000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100040000000500010000000000050001000000000005000e000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100020000000500010000000000050001000000000005000300000000000500000000000000b40000000000030095000000000000000500000000000000b40000000000ff7f950000000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100040000000500010000000000050001000000000005000e000000000005000000000000006160200000000000630afcff000000006160240000000000630af8ff00000000450003000000000061a0fcff0000000045000100020000000500010000000000050001000000000005000300000000000500000000000000b40000000000030095000000000000000500000000000000b40000000000ff7f950000000000000005000000000000006160100000000000630afcff000000006160140000000000630af8ff00000000550002000000000061a0fcff000000001500010001000000050001000000000005000300000000000500000000000000b40000000000030095000000000000000500000000000000b40000000000ff7f9500000000000000",
>
> List of services loading seccomp filters pulled from one run of the phone:
> com.google.android.deskclock
> /vendor/bin/qesdk-secmanager
> media.hwcodec/vendor.qti.media.c2@1.0-service
> media.audio.qc.codec.qti.media.c2audio@1.0-service
> /vendor/bin/vendor.qti.qspmhal-service
> /vendor/bin/qsap_sensors
> media.extractoraextractor
> /system_ext/bin/perfservice
> /vendor/bin/wfdhdcphalservice
> /vendor/bin/wifidisplayhalservice
> /vendor/bin/qsap_dcfd
> /vendor/bin/qms
> /vendor/bin/qsap_location
> /vendor/bin/qsap_qapeservice
> /vendor/bin/wfdvndservice
> media.swcodecoid.media.swcodec/bin/mediaswcodec
> /vendor/bin/hw/qcrilNrd
> qsap_qms_13qms16
> qsap_qms_24qms17
> /vendor/bin/ATFWD-daemon
> /vendor/bin/hw/sxrservice
> /vendor/bin/hw/qcrilNrd-c2
> system_server
> /vendor/bin/qmi_motext_hook1013170
> /vendor/bin/qmi_motext_hook1013171
> /vendor/bin/ims_rtp_daemon
> com.android.systemui
> webview_zygote
> com.dolby.daxservice
> vendor.qti.qesdk.sysservice
> org.codeaurora.ims
> com.android.se
> com.android.phone
> com.qti.qcc
> com.google.android.ext.services
> com.google.android.gms
> com.google.android.euicc
> com.google.android.googlequicksearchbox:interactor
> com.google.android.apps.messaging:rcs
> com.android.nfc
> com.qualcomm.qti.workloadclassifier
> com.qualcomm.location
> com.google.android.gms.unstable
> com.thundercomm.ar.core
> com.android.vending:background
> com.android.vending:quick_launch
> com.android.dynsystem
> com.android.managedprovisioning
> com.android.shell
+ Jeff, Alistair, and Maciej
Maxwell,
Thanks for the details on this, I have added several people who may be
better suited to comment on this.
Neill
next prev parent reply other threads:[~2024-09-12 20:57 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-12 16:02 [RFC] Proposal: Static SECCOMP Policies Maxwell Bland
2024-09-12 20:57 ` Neill Kapron [this message]
2024-09-12 21:39 ` Maciej Żenczykowski
2024-09-13 17:07 ` [External] " Maxwell Bland
2024-09-13 17:12 ` Maxwell Bland
2024-09-13 17:30 ` Maxwell Bland
2024-09-14 4:18 ` Andy Lutomirski
2024-09-17 15:08 ` Maxwell Bland
2024-09-25 18:16 ` Andy Lutomirski
2024-09-25 19:52 ` Maciej Żenczykowski
2024-09-25 19:53 ` Maciej Żenczykowski
2024-09-30 11:22 ` Sebastian Ene
2024-09-30 18:43 ` Maxwell Bland
2024-09-30 23:35 ` Maciej Żenczykowski
2024-09-30 23:41 ` Maciej Żenczykowski
2024-10-01 16:34 ` Maxwell Bland
2024-09-13 18:17 ` Maxwell Bland
2024-09-13 21:16 ` [External] " Maciej Żenczykowski
2024-09-16 22:17 ` Maxwell Bland
2024-09-16 22:50 ` Maciej Żenczykowski
2024-09-17 15:15 ` Maxwell Bland
2024-09-18 19:22 ` Maxwell Bland
2024-09-17 7:34 ` Kees Cook
2024-09-17 16:54 ` Maxwell Bland
2024-09-17 17:01 ` Maxwell Bland
-- strict thread matches above, loose matches on Subject: below --
2024-09-12 16:18 Maxwell Bland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuNVqvVgXLjNXS5Y@google.com \
--to=nkapron@google.com \
--cc=adelva@google.com \
--cc=agross@kernel.org \
--cc=andersson@kernel.org \
--cc=awheeler@motorola.com \
--cc=jeffv@google.com \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=konrad.dybcio@somainline.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=maze@google.com \
--cc=mbland@motorola.com \
--cc=quebs2@motorola.com \
--cc=tkjos@google.com \
--cc=vmartensson@google.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.