* Re: [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC [not found] ` <CALCETrXB0zp8gwpWuxXs0bgB8sQhe6JLE46BOYw3OrBx7hQYVw@mail.gmail.com> @ 2014-06-02 23:05 ` Kees Cook [not found] ` <CAGXu5jKFte0ZvqU8RYcqjWDCoegWeu66gdwX83tiL8vprcvMgQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 4+ messages in thread From: Kees Cook @ 2014-06-02 23:05 UTC (permalink / raw) To: Andy Lutomirski, linux-api, Andrew Morton Cc: Oleg Nesterov, James Morris, Stephen Rothwell, David S. Miller, LKML, Will Drewry, Julien Tinnes, Alexei Starovoitov On Mon, Jun 2, 2014 at 2:17 PM, Andy Lutomirski <luto@amacapital.net> wrote: > On Mon, Jun 2, 2014 at 1:06 PM, Kees Cook <keescook@chromium.org> wrote: >> On Mon, Jun 2, 2014 at 12:59 PM, Andy Lutomirski <luto@amacapital.net> wrote: >>> On Mon, Jun 2, 2014 at 12:47 PM, Kees Cook <keescook@chromium.org> wrote: >>>> Hi Andrew, >>>> >>>> Would you be willing to carry this series? Andy Lutomirski appears >>>> happy with it now. (Thanks again for all the feedback Andy!) If so, it >>>> has a relatively small merge conflict with the bpf changes living in >>>> net-next. Would you prefer I rebase against net-next, let sfr handle >>>> it, get carried in net-next, or some other option? >>> >>> Well, I'm still not entirely convinced that we want to have this much >>> multiplexing in a prctl, and I'm still a bit unconvinced that the code >> >> I don't want to get caught without interface argument flexibility >> again, so that's why the prctl interface is being set up that way. > > I was thinking that a syscall might be a lot prettier. It may pay to > cc linux-api, too. > > I'll offer you a deal: if you try to come up with a nice, clean > syscall, I'll try to write a fast(er) path for x86_64 to reduce > overhead. I bet I can save 90-100ns per syscall. :) Now added to the Cc. Which path do you mean to improve? Neither the prctl nor a syscall for this would need to be fast at all. I don't want to go in circles on this. I've been there before on my VFS link hardening series, and my module restriction series. I would like consensus from more than just one person. :) I'd like to hear from other folks on this (akpm?). My instinct is to continue using prctl since that is already where mediation for seccomp happens. I don't see why prctl vs a new syscall makes a difference here, frankly. -Kees -- Kees Cook Chrome OS Security ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CAGXu5jKFte0ZvqU8RYcqjWDCoegWeu66gdwX83tiL8vprcvMgQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC [not found] ` <CAGXu5jKFte0ZvqU8RYcqjWDCoegWeu66gdwX83tiL8vprcvMgQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2014-06-02 23:08 ` Andy Lutomirski [not found] ` <CALCETrWLNFJbwaYKkjBi7XPLBQ2=gEGmW=G==+_9jcrLPW+JdA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 4+ messages in thread From: Andy Lutomirski @ 2014-06-02 23:08 UTC (permalink / raw) To: Kees Cook Cc: Linux API, Andrew Morton, Oleg Nesterov, James Morris, Stephen Rothwell, David S. Miller, LKML, Will Drewry, Julien Tinnes, Alexei Starovoitov On Mon, Jun 2, 2014 at 4:05 PM, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote: > On Mon, Jun 2, 2014 at 2:17 PM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote: >> On Mon, Jun 2, 2014 at 1:06 PM, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote: >>> On Mon, Jun 2, 2014 at 12:59 PM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote: >>>> On Mon, Jun 2, 2014 at 12:47 PM, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote: >>>>> Hi Andrew, >>>>> >>>>> Would you be willing to carry this series? Andy Lutomirski appears >>>>> happy with it now. (Thanks again for all the feedback Andy!) If so, it >>>>> has a relatively small merge conflict with the bpf changes living in >>>>> net-next. Would you prefer I rebase against net-next, let sfr handle >>>>> it, get carried in net-next, or some other option? >>>> >>>> Well, I'm still not entirely convinced that we want to have this much >>>> multiplexing in a prctl, and I'm still a bit unconvinced that the code >>> >>> I don't want to get caught without interface argument flexibility >>> again, so that's why the prctl interface is being set up that way. >> >> I was thinking that a syscall might be a lot prettier. It may pay to >> cc linux-api, too. >> >> I'll offer you a deal: if you try to come up with a nice, clean >> syscall, I'll try to write a fast(er) path for x86_64 to reduce >> overhead. I bet I can save 90-100ns per syscall. :) > > Now added to the Cc. > > Which path do you mean to improve? Neither the prctl nor a syscall for > this would need to be fast at all. Non-seccomp-related syscalls when seccomp is enabled. > > I don't want to go in circles on this. I've been there before on my > VFS link hardening series, and my module restriction series. I would > like consensus from more than just one person. :) I can't offer you anyone else's review, unfortunately :-/ > > I'd like to hear from other folks on this (akpm?). My instinct is to > continue using prctl since that is already where mediation for seccomp > happens. I don't see why prctl vs a new syscall makes a difference > here, frankly. Aesthetics? There's a tendency for people to get annoyed at big multiplexed APIs, and your patches will be doubly multiplexed. TBH, I care more about the atomicity thing than about the actual form of the API. --Andy > > -Kees > > -- > Kees Cook > Chrome OS Security -- Andy Lutomirski AMA Capital Management, LLC ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CALCETrWLNFJbwaYKkjBi7XPLBQ2=gEGmW=G==+_9jcrLPW+JdA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC [not found] ` <CALCETrWLNFJbwaYKkjBi7XPLBQ2=gEGmW=G==+_9jcrLPW+JdA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2014-06-03 10:12 ` Michael Kerrisk 2014-06-03 23:47 ` Julien Tinnes 0 siblings, 1 reply; 4+ messages in thread From: Michael Kerrisk @ 2014-06-03 10:12 UTC (permalink / raw) To: Andy Lutomirski Cc: Kees Cook, Linux API, Andrew Morton, Oleg Nesterov, James Morris, Stephen Rothwell, David S. Miller, LKML, Will Drewry, Julien Tinnes, Alexei Starovoitov, Michael Kerrisk-manpages [Kees, thank you for CCing linux-api] On Tue, Jun 3, 2014 at 1:08 AM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote: > On Mon, Jun 2, 2014 at 4:05 PM, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote: >> I'd like to hear from other folks on this (akpm?). My instinct is to >> continue using prctl since that is already where mediation for seccomp >> happens. I don't see why prctl vs a new syscall makes a difference >> here, frankly. > > Aesthetics? There's a tendency for people to get annoyed at big > multiplexed APIs, and your patches will be doubly multiplexed. prctl() is already a Franken-interface that provides a mass of different, mostly completely unrelated, functionality. So, I wonder if it would be better not to make the situation worse. Furthermore, the very fact that the existing prctl seccomp API is being extended and multiplexed suggests that other extensions might be desirable further down the line, which also hints that a separate syscall would be a good idea. (Or do we have to wait until the prctl seccomp API is extended one more time, before we realize that a new system call would have been a good idea...) > TBH, I care more about the atomicity thing than about the actual form > of the API. User-space does not necessarily thank you for that perspective, Andy ;-). The atomicity thing is presumably fixable, regardless of the API. On the other hand, APIs are things that kernel developers design once and forget about, and user-space has to live with forever. Cheers, Michael ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC 2014-06-03 10:12 ` Michael Kerrisk @ 2014-06-03 23:47 ` Julien Tinnes 0 siblings, 0 replies; 4+ messages in thread From: Julien Tinnes @ 2014-06-03 23:47 UTC (permalink / raw) To: Michael Kerrisk Cc: Andy Lutomirski, Kees Cook, Linux API, Andrew Morton, Oleg Nesterov, James Morris, Stephen Rothwell, David S. Miller, LKML, Will Drewry, Alexei Starovoitov On Tue, Jun 3, 2014 at 3:12 AM, Michael Kerrisk <mtk.manpages@gmail.com> wrote: > [Kees, thank you for CCing linux-api] > > On Tue, Jun 3, 2014 at 1:08 AM, Andy Lutomirski <luto@amacapital.net> wrote: >> On Mon, Jun 2, 2014 at 4:05 PM, Kees Cook <keescook@chromium.org> wrote: > >>> I'd like to hear from other folks on this (akpm?). My instinct is to >>> continue using prctl since that is already where mediation for seccomp >>> happens. I don't see why prctl vs a new syscall makes a difference >>> here, frankly. >> >> Aesthetics? There's a tendency for people to get annoyed at big >> multiplexed APIs, and your patches will be doubly multiplexed. > > prctl() is already a Franken-interface that provides a mass of > different, mostly completely unrelated, functionality. So, I wonder if > it would be better not to make the situation worse. Furthermore, the > very fact that the existing prctl seccomp API is being extended and > multiplexed suggests that other extensions might be desirable further > down the line, which also hints that a separate syscall would be a > good idea. (Or do we have to wait until the prctl seccomp API is > extended one more time, before we realize that a new system call would > have been a good idea...) > >> TBH, I care more about the atomicity thing than about the actual form >> of the API. > > User-space does not necessarily thank you for that perspective, Andy > ;-). The atomicity thing is presumably fixable, regardless of the API. > On the other hand, APIs are things that kernel developers design once > and forget about, and user-space has to live with forever. Well, maybe the history of it being a prctl() should count for something. Most likely, userland will need to test for whether or not these features are present in the kernel for years to come. With a syscall, it would now require a syscall (unlikely to be in older headers for a while, so will require using syscall(3) for a bit) as well as a call to prctl() to test for seccomp mode 2 (without thread sync) in the fallback path. It'll be a little odd. As the person who will make this work in Chromium, I do not feel strongly either way, it's a detail, so feel free to disregard this point. But I'm eagerly waiting for: - Not having to test for the presence of threads at run-time (which requires a very ugly busy loop with exponential back-off watching for /proc/self/tasks/ to drop to 1 directory entry). - Being able to engage the sandbox after third-party libraries have started threads. Julien ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-06-03 23:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1400799936-26499-1-git-send-email-keescook@chromium.org>
[not found] ` <CAGXu5jLYPbJKCBvhVxfHEUFeCPJO-OBhRFufUSNy6o1N=LJ6UQ@mail.gmail.com>
[not found] ` <CALCETrV0ZEFipU0E64n5q44LiUV4j4Qqvnz0h_QAoddg+e7V3A@mail.gmail.com>
[not found] ` <CAGXu5j+YRW_+W8Z9S9O84ep-uUc4wQQRbtSu6_s8o5J2HLPUYg@mail.gmail.com>
[not found] ` <CALCETrXB0zp8gwpWuxXs0bgB8sQhe6JLE46BOYw3OrBx7hQYVw@mail.gmail.com>
2014-06-02 23:05 ` [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Kees Cook
[not found] ` <CAGXu5jKFte0ZvqU8RYcqjWDCoegWeu66gdwX83tiL8vprcvMgQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-02 23:08 ` Andy Lutomirski
[not found] ` <CALCETrWLNFJbwaYKkjBi7XPLBQ2=gEGmW=G==+_9jcrLPW+JdA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-03 10:12 ` Michael Kerrisk
2014-06-03 23:47 ` Julien Tinnes
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).