From: Jiri Olsa <olsajiri@gmail.com>
To: Eyal Birger <eyal.birger@gmail.com>
Cc: Kees Cook <kees@kernel.org>,
luto@amacapital.net, wad@chromium.org, oleg@redhat.com,
ldv@strace.io, mhiramat@kernel.org, andrii@kernel.org,
alexei.starovoitov@gmail.com, olsajiri@gmail.com,
cyphar@cyphar.com, songliubraving@fb.com, yhs@fb.com,
john.fastabend@gmail.com, peterz@infradead.org,
tglx@linutronix.de, bp@alien8.de, daniel@iogearbox.net,
ast@kernel.org, andrii.nakryiko@gmail.com, rostedt@goodmis.org,
rafi@rbk.io, shmulik.ladkani@gmail.com, bpf@vger.kernel.org,
linux-api@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
x86@kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] seccomp: passthrough uretprobe systemcall without filtering
Date: Tue, 21 Jan 2025 15:38:48 +0100 [thread overview]
Message-ID: <Z4-xeFH0Mgo3llga@krava> (raw)
In-Reply-To: <CAHsH6GtpXMswVKytv7_JMGca=3wxKRUK4rZmBBxJPRh1WYdObg@mail.gmail.com>
On Sat, Jan 18, 2025 at 07:39:25PM -0800, Eyal Birger wrote:
SNIP
> I think I wasn't accurate in my wording.
> The uretprobe syscall is added to the tracee by the kernel.
> The tracer itself is merely requesting to attach a uretprobe bpf
> function. In previous versions, this was implemented by the kernel
> installing an int3 instruction, and in the new implementation the kernel
> is installing a uretprobe syscall.
> The "user" in this case - the tracer program - didn't deliberately install
> the syscall, but anyway this is semantics.
>
> I think I understand your point that it is regarded as "policy", only that
> it creates a problem in actual deployments, where in order to be able to
> run the tracer software which has been working on newer kernels a new docker
> has to be deployed.
>
> I'm trying to find a pragmatic solution to this problem, and I understand
> the motivation to avoid policy in seccomp.
>
> Alternatively, maybe this syscall implementation should be reverted?
you mentioned in the previous reply:
> > As far as I can tell libseccomp needs to provide support for this new
> > syscall and a new docker version would need to be deployed, so It's not
> > just a configuration change. Also the default policy which comes packed in
> > docker would probably need to be changed to avoid having to explicitly
> > provide a seccomp configuration for each deployment.
please disregard if this is too stupid.. but could another way out be just
to disable it (easy to do) and meanwhile teach libseccomp to allow uretprobe
(or whatever mechanism needs to be added to libseccomp) plus the needed
docker change ... to minimize the impact ?
or there's just too many other seccomp user space libraries
I'm still trying to come up with some other solution but wanted
to exhaust all the options I could think of
thanks,
jirka
next prev parent reply other threads:[~2025-01-21 14:38 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-17 0:55 [PATCH] seccomp: passthrough uretprobe systemcall without filtering Eyal Birger
2025-01-17 1:39 ` Oleg Nesterov
2025-01-17 8:02 ` Masami Hiramatsu
2025-01-17 13:36 ` Eyal Birger
2025-01-17 14:09 ` Oleg Nesterov
2025-01-17 17:51 ` Andrii Nakryiko
2025-01-17 19:24 ` Eyal Birger
2025-01-17 19:34 ` Andrii Nakryiko
2025-01-18 15:05 ` Oleg Nesterov
2025-01-17 18:34 ` Dmitry V. Levin
2025-01-17 18:52 ` Eyal Birger
2025-01-18 20:21 ` Kees Cook
2025-01-18 20:31 ` Darrick J. Wong
2025-01-18 20:45 ` Eyal Birger
2025-01-19 2:24 ` Kees Cook
2025-01-19 3:39 ` Eyal Birger
2025-01-19 10:44 ` Jiri Olsa
2025-01-20 21:34 ` Kees Cook
2025-01-27 19:24 ` Eyal Birger
2025-01-27 19:33 ` Kees Cook
2025-01-27 19:39 ` Eyal Birger
2025-01-27 19:43 ` Kees Cook
2025-01-21 14:38 ` Jiri Olsa [this message]
2025-01-21 14:47 ` Eyal Birger
2025-01-21 16:16 ` Steven Rostedt
2025-01-21 16:44 ` Oleg Nesterov
2025-01-21 16:55 ` Jiri Olsa
2025-01-21 22:38 ` Andrii Nakryiko
2025-01-21 22:46 ` Steven Rostedt
2025-01-21 23:13 ` Eyal Birger
2025-01-21 23:29 ` Steven Rostedt
2025-01-19 18:36 ` Andy Lutomirski
2025-01-19 12:40 ` Oleg Nesterov
2025-01-20 21:32 ` Kees Cook
2025-01-21 15:28 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z4-xeFH0Mgo3llga@krava \
--to=olsajiri@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=eyal.birger@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=kees@kernel.org \
--cc=ldv@strace.io \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhiramat@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=rafi@rbk.io \
--cc=rostedt@goodmis.org \
--cc=shmulik.ladkani@gmail.com \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).