From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB867C43461 for ; Mon, 7 Sep 2020 10:15:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 903C420709 for ; Mon, 7 Sep 2020 10:15:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728406AbgIGKP3 (ORCPT ); Mon, 7 Sep 2020 06:15:29 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:59694 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728243AbgIGKP1 (ORCPT ); Mon, 7 Sep 2020 06:15:27 -0400 Received: from ip5f5af70b.dynamic.kabel-deutschland.de ([95.90.247.11] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kFEBG-0005Rk-Rm; Mon, 07 Sep 2020 10:15:22 +0000 Date: Mon, 7 Sep 2020 12:15:22 +0200 From: Christian Brauner To: Gabriel Krisman Bertazi Cc: luto@kernel.org, tglx@linutronix.de, keescook@chromium.org, x86@kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, willy@infradead.org, linux-kselftest@vger.kernel.org, shuah@kernel.org, kernel@collabora.com Subject: Re: [PATCH v6 6/9] kernel: entry: Support Syscall User Dispatch for common syscall entry Message-ID: <20200907101522.zo6qzgp4qfzkz7cs@wittgenstein> References: <20200904203147.2908430-1-krisman@collabora.com> <20200904203147.2908430-7-krisman@collabora.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200904203147.2908430-7-krisman@collabora.com> Sender: linux-api-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-api@vger.kernel.org On Fri, Sep 04, 2020 at 04:31:44PM -0400, Gabriel Krisman Bertazi wrote: > Syscall User Dispatch (SUD) must take precedence over seccomp, since the > use case is emulation (it can be invoked with a different ABI) such that > seccomp filtering by syscall number doesn't make sense in the first > place. In addition, either the syscall is dispatched back to userspace, > in which case there is no resource for seccomp to protect, or the Tbh, I'm torn here. I'm not a super clever attacker but it feels to me that this is still at least a clever way to circumvent a seccomp sandbox. If I'd be confined by a seccomp profile that would cause me to be SIGKILLed when I try do open() I could prctl() myself to do user dispatch to prevent that from happening, no? > syscall will be executed, and seccomp will execute next. > > Regarding ptrace, I experimented with before and after, and while the > same ABI argument applies, I felt it was easier to debug if I let ptrace > happen for syscalls that are dispatched back to userspace. In addition, > doing it after ptrace makes the code in syscall_exit_work slightly > simpler, since it doesn't require special handling for this feature. > > Signed-off-by: Gabriel Krisman Bertazi > --- > kernel/entry/common.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/kernel/entry/common.c b/kernel/entry/common.c > index 44fd089d59da..fdb0c543539d 100644 > --- a/kernel/entry/common.c > +++ b/kernel/entry/common.c > @@ -6,6 +6,8 @@ > #include > #include > > +#include "common.h" > + > #define CREATE_TRACE_POINTS > #include > > @@ -47,6 +49,12 @@ static inline long do_syscall_intercept(struct pt_regs *regs) > int sysint_work = READ_ONCE(current->syscall_intercept); > int ret; > > + if (sysint_work & SYSINT_USER_DISPATCH) { > + ret = do_syscall_user_dispatch(regs); > + if (ret == -1L) > + return ret; > + } > + > if (sysint_work & SYSINT_SECCOMP) { > ret = __secure_computing(NULL); > if (ret == -1L) > -- > 2.28.0