From: Eyal Birger <eyal.birger@gmail.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Andrii Nakryiko <andrii.nakryiko@gmail.com>,
Jiri Olsa <olsajiri@gmail.com>, Kees Cook <kees@kernel.org>,
luto@amacapital.net, wad@chromium.org, oleg@redhat.com,
ldv@strace.io, mhiramat@kernel.org, andrii@kernel.org,
alexei.starovoitov@gmail.com, cyphar@cyphar.com,
songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com,
peterz@infradead.org, tglx@linutronix.de, bp@alien8.de,
daniel@iogearbox.net, ast@kernel.org, rafi@rbk.io,
shmulik.ladkani@gmail.com, bpf@vger.kernel.org,
linux-api@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
x86@kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] seccomp: passthrough uretprobe systemcall without filtering
Date: Tue, 21 Jan 2025 15:13:52 -0800 [thread overview]
Message-ID: <CAHsH6GvcOjNh8VMpPs9CzyVSCOB+92zRj_3ZeDOd6APySWdm5Q@mail.gmail.com> (raw)
In-Reply-To: <20250121174620.06a0c811@gandalf.local.home>
On Tue, Jan 21, 2025 at 2:46 PM Steven Rostedt <rostedt@goodmis.org> wrote:
>
> On Tue, 21 Jan 2025 14:38:09 -0800
> Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
>
> > You said yourself that sys_uretprobe is no different from rt_sigreturn
> > and restart_syscall, so why would we rollback sys_uretprobe if we
> > wouldn't rollback rt_sigreturn/restart_syscall? Given it's impossible,
> > generally speaking, to know if userspace is blocking the syscall (and
> > that can change dynamically and very frequently), any improvement or
> > optimization that kernel would do with the help of special syscall is
> > now prohibited, effectively. That doesn't seem wise to restrict the
> > kernel development so much just because libseccomp blocks any unknown
> > syscall by default.
>
> What happens if the system call is hit when there was no uprobe attached to
> it? Perhaps it should segfault? That is, this system call is only used when
> the kernel attaches it, if the kernel did not attach it, perhaps there's
> some malicious code that is trying to use it for some CVE corner case. But
> if it always crashes when added, the only thing the malicious code can do
> by adding this system call is to crash the application. That shouldn't be a
> problem, as if malicious code can add a system call, it can also change the
> code to crash as well.
>
> Perhaps the security folks would feel better if there were other
> protections against this system call when not used as expected?
Isn't that the case already, or maybe I misunderstood what Jiri wrote [1]:
> On Sun, Jan 19, 2025 at 2:44 AM Jiri Olsa <olsajiri@gmail.com> wrote:
> that's correct, uretprobe syscall is installed by kernel to special user
> memory map and it can be executed only from there and if process calls it
> from another place it receives sigill
Eyal.
[1] https://lore.kernel.org/lkml/Z4zXlaEMPbiYYlQ8@krava/
next prev parent reply other threads:[~2025-01-21 23:14 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-17 0:55 [PATCH] seccomp: passthrough uretprobe systemcall without filtering Eyal Birger
2025-01-17 1:39 ` Oleg Nesterov
2025-01-17 8:02 ` Masami Hiramatsu
2025-01-17 13:36 ` Eyal Birger
2025-01-17 14:09 ` Oleg Nesterov
2025-01-17 17:51 ` Andrii Nakryiko
2025-01-17 19:24 ` Eyal Birger
2025-01-17 19:34 ` Andrii Nakryiko
2025-01-18 15:05 ` Oleg Nesterov
2025-01-17 18:34 ` Dmitry V. Levin
2025-01-17 18:52 ` Eyal Birger
2025-01-18 20:21 ` Kees Cook
2025-01-18 20:31 ` Darrick J. Wong
2025-01-18 20:45 ` Eyal Birger
2025-01-19 2:24 ` Kees Cook
2025-01-19 3:39 ` Eyal Birger
2025-01-19 10:44 ` Jiri Olsa
2025-01-20 21:34 ` Kees Cook
2025-01-27 19:24 ` Eyal Birger
2025-01-27 19:33 ` Kees Cook
2025-01-27 19:39 ` Eyal Birger
2025-01-27 19:43 ` Kees Cook
2025-01-21 14:38 ` Jiri Olsa
2025-01-21 14:47 ` Eyal Birger
2025-01-21 16:16 ` Steven Rostedt
2025-01-21 16:44 ` Oleg Nesterov
2025-01-21 16:55 ` Jiri Olsa
2025-01-21 22:38 ` Andrii Nakryiko
2025-01-21 22:46 ` Steven Rostedt
2025-01-21 23:13 ` Eyal Birger [this message]
2025-01-21 23:29 ` Steven Rostedt
2025-01-19 18:36 ` Andy Lutomirski
2025-01-19 12:40 ` Oleg Nesterov
2025-01-20 21:32 ` Kees Cook
2025-01-21 15:28 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHsH6GvcOjNh8VMpPs9CzyVSCOB+92zRj_3ZeDOd6APySWdm5Q@mail.gmail.com \
--to=eyal.birger@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kees@kernel.org \
--cc=ldv@strace.io \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhiramat@kernel.org \
--cc=oleg@redhat.com \
--cc=olsajiri@gmail.com \
--cc=peterz@infradead.org \
--cc=rafi@rbk.io \
--cc=rostedt@goodmis.org \
--cc=shmulik.ladkani@gmail.com \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).