From: Eyal Birger <eyal.birger@gmail.com>
To: Jiri Olsa <olsajiri@gmail.com>
Cc: Kees Cook <kees@kernel.org>,
luto@amacapital.net, wad@chromium.org, oleg@redhat.com,
ldv@strace.io, mhiramat@kernel.org, andrii@kernel.org,
alexei.starovoitov@gmail.com, cyphar@cyphar.com,
songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com,
peterz@infradead.org, tglx@linutronix.de, bp@alien8.de,
daniel@iogearbox.net, ast@kernel.org, andrii.nakryiko@gmail.com,
rostedt@goodmis.org, rafi@rbk.io, shmulik.ladkani@gmail.com,
bpf@vger.kernel.org, linux-api@vger.kernel.org,
linux-trace-kernel@vger.kernel.org, x86@kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] seccomp: passthrough uretprobe systemcall without filtering
Date: Tue, 21 Jan 2025 06:47:35 -0800 [thread overview]
Message-ID: <CAHsH6GsXacPXiEz7amTcgBfWdiOJx2G3cAMdSdnkqOnJ+opqQg@mail.gmail.com> (raw)
In-Reply-To: <Z4-xeFH0Mgo3llga@krava>
Hi,
On Tue, Jan 21, 2025 at 6:38 AM Jiri Olsa <olsajiri@gmail.com> wrote:
>
> On Sat, Jan 18, 2025 at 07:39:25PM -0800, Eyal Birger wrote:
>
> SNIP
>
> > I think I wasn't accurate in my wording.
> > The uretprobe syscall is added to the tracee by the kernel.
> > The tracer itself is merely requesting to attach a uretprobe bpf
> > function. In previous versions, this was implemented by the kernel
> > installing an int3 instruction, and in the new implementation the kernel
> > is installing a uretprobe syscall.
> > The "user" in this case - the tracer program - didn't deliberately install
> > the syscall, but anyway this is semantics.
> >
> > I think I understand your point that it is regarded as "policy", only that
> > it creates a problem in actual deployments, where in order to be able to
> > run the tracer software which has been working on newer kernels a new docker
> > has to be deployed.
> >
> > I'm trying to find a pragmatic solution to this problem, and I understand
> > the motivation to avoid policy in seccomp.
> >
> > Alternatively, maybe this syscall implementation should be reverted?
>
> you mentioned in the previous reply:
>
> > > As far as I can tell libseccomp needs to provide support for this new
> > > syscall and a new docker version would need to be deployed, so It's not
> > > just a configuration change. Also the default policy which comes packed in
> > > docker would probably need to be changed to avoid having to explicitly
> > > provide a seccomp configuration for each deployment.
>
> please disregard if this is too stupid.. but could another way out be just
> to disable it (easy to do) and meanwhile teach libseccomp to allow uretprobe
> (or whatever mechanism needs to be added to libseccomp) plus the needed
> docker change ... to minimize the impact ?
Right. the patch I was thinking to suggest wouldn't revert the entire
thing, but instead disable its use for now and allow a careful
reconsideration of the available options.
If that makes sense, I'll post it.
>
> or there's just too many other seccomp user space libraries
I think in theory, the example of a simple binary using "restrict" mode
makes it problematic to assume that this can be fixed solely from userspace
i.e. for such binary, uretprobes would still work in one kernel version and
break on another. It's hard to tell how common this is.
>
> I'm still trying to come up with some other solution but wanted
> to exhaust all the options I could think of
>
> thanks,
> jirka
next prev parent reply other threads:[~2025-01-21 14:47 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-17 0:55 [PATCH] seccomp: passthrough uretprobe systemcall without filtering Eyal Birger
2025-01-17 1:39 ` Oleg Nesterov
2025-01-17 8:02 ` Masami Hiramatsu
2025-01-17 13:36 ` Eyal Birger
2025-01-17 14:09 ` Oleg Nesterov
2025-01-17 17:51 ` Andrii Nakryiko
2025-01-17 19:24 ` Eyal Birger
2025-01-17 19:34 ` Andrii Nakryiko
2025-01-18 15:05 ` Oleg Nesterov
2025-01-17 18:34 ` Dmitry V. Levin
2025-01-17 18:52 ` Eyal Birger
2025-01-18 20:21 ` Kees Cook
2025-01-18 20:31 ` Darrick J. Wong
2025-01-18 20:45 ` Eyal Birger
2025-01-19 2:24 ` Kees Cook
2025-01-19 3:39 ` Eyal Birger
2025-01-19 10:44 ` Jiri Olsa
2025-01-20 21:34 ` Kees Cook
2025-01-27 19:24 ` Eyal Birger
2025-01-27 19:33 ` Kees Cook
2025-01-27 19:39 ` Eyal Birger
2025-01-27 19:43 ` Kees Cook
2025-01-21 14:38 ` Jiri Olsa
2025-01-21 14:47 ` Eyal Birger [this message]
2025-01-21 16:16 ` Steven Rostedt
2025-01-21 16:44 ` Oleg Nesterov
2025-01-21 16:55 ` Jiri Olsa
2025-01-21 22:38 ` Andrii Nakryiko
2025-01-21 22:46 ` Steven Rostedt
2025-01-21 23:13 ` Eyal Birger
2025-01-21 23:29 ` Steven Rostedt
2025-01-19 18:36 ` Andy Lutomirski
2025-01-19 12:40 ` Oleg Nesterov
2025-01-20 21:32 ` Kees Cook
2025-01-21 15:28 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHsH6GsXacPXiEz7amTcgBfWdiOJx2G3cAMdSdnkqOnJ+opqQg@mail.gmail.com \
--to=eyal.birger@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kees@kernel.org \
--cc=ldv@strace.io \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhiramat@kernel.org \
--cc=oleg@redhat.com \
--cc=olsajiri@gmail.com \
--cc=peterz@infradead.org \
--cc=rafi@rbk.io \
--cc=rostedt@goodmis.org \
--cc=shmulik.ladkani@gmail.com \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).