From: Ingo Molnar <mingo@elte.hu>
To: Will Drewry <wad@chromium.org>
Cc: linux-mips@linux-mips.org, linux-sh@vger.kernel.org,
Peter Zijlstra <peterz@infradead.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Oleg Nesterov <oleg@redhat.com>,
David Howells <dhowells@redhat.com>,
Paul Mackerras <paulus@samba.org>, Eric Paris <eparis@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>,
sparclinux@vger.kernel.org, Jiri Slaby <jslaby@suse.cz>,
linux-s390@vger.kernel.org, Russell King <linux@arm.linux.org.uk>,
x86@kernel.org, jmorris@namei.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Ingo Molnar <mingo@redhat.com>,
linux-arm-kernel@lists.infradead.org, kees.cook@canonical.com,
"Serge E. Hallyn" <serge@hallyn.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
microblaze-uclinux@itee.uq.edu.au,
Steven Rostedt <rostedt@goodmis.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Roland McGrath <roland@redhat.com>, Michal Marek <mmarek@suse.cz>,
Michal Simek <monstr@monstr.eu>,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
Ralf Baechle <ralf@linux-mips.org>,
Paul Mundt <lethal@linux-sh.org>, Tejun Heo <tj@kernel.org>,
linux390@de.ibm.com, Andrew Morton <akpm@linux-foundation.org>,
agl@chromium.org, "David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Date: Thu, 12 May 2011 09:48:50 +0200 [thread overview]
Message-ID: <20110512074850.GA9937@elte.hu> (raw)
In-Reply-To: <1305169376-2363-1-git-send-email-wad@chromium.org>
Ok, i like the direction here, but i think the ABI should be done differently.
In this patch the ftrace event filter mechanism is used:
* Will Drewry <wad@chromium.org> wrote:
> +static struct seccomp_filter *alloc_seccomp_filter(int syscall_nr,
> + const char *filter_string)
> +{
> + int err = -ENOMEM;
> + struct seccomp_filter *filter = kzalloc(sizeof(struct seccomp_filter),
> + GFP_KERNEL);
> + if (!filter)
> + goto fail;
> +
> + INIT_HLIST_NODE(&filter->node);
> + filter->syscall_nr = syscall_nr;
> + filter->data = syscall_nr_to_meta(syscall_nr);
> +
> + /* Treat a filter of SECCOMP_WILDCARD_FILTER as a wildcard and skip
> + * using a predicate at all.
> + */
> + if (!strcmp(SECCOMP_WILDCARD_FILTER, filter_string))
> + goto out;
> +
> + /* Argument-based filtering only works on ftrace-hooked syscalls. */
> + if (!filter->data) {
> + err = -ENOSYS;
> + goto fail;
> + }
> +
> +#ifdef CONFIG_FTRACE_SYSCALLS
> + err = ftrace_parse_filter(&filter->event_filter,
> + filter->data->enter_event->event.type,
> + filter_string);
> + if (err)
> + goto fail;
> +#endif
> +
> +out:
> + return filter;
> +
> +fail:
> + kfree(filter);
> + return ERR_PTR(err);
> +}
Via a prctl() ABI:
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -1698,12 +1698,23 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
> case PR_SET_ENDIAN:
> error = SET_ENDIAN(me, arg2);
> break;
> -
> case PR_GET_SECCOMP:
> error = prctl_get_seccomp();
> break;
> case PR_SET_SECCOMP:
> - error = prctl_set_seccomp(arg2);
> + error = prctl_set_seccomp(arg2, arg3);
> + break;
> + case PR_SET_SECCOMP_FILTER:
> + error = prctl_set_seccomp_filter(arg2,
> + (char __user *) arg3);
> + break;
> + case PR_CLEAR_SECCOMP_FILTER:
> + error = prctl_clear_seccomp_filter(arg2);
> + break;
> + case PR_GET_SECCOMP_FILTER:
> + error = prctl_get_seccomp_filter(arg2,
> + (char __user *) arg3,
> + arg4);
To restrict execution to system calls.
Two observations:
1) We already have a specific ABI for this: you can set filters for events via
an event fd.
Why not extend that mechanism instead and improve *both* your sandboxing
bits and the events code? This new seccomp code has a lot more
to do with trace event filters than the minimal old seccomp code ...
kernel/trace/trace_event_filter.c is 2000 lines of tricky code that
interprets the ASCII filter expressions. kernel/seccomp.c is 86 lines of
mostly trivial code.
2) Why should this concept not be made available wider, to allow the
restriction of not just system calls but other security relevant components
of the kernel as well?
This too, if you approach the problem via the events code, will be a natural
end result, while if you approach it from the seccomp prctl angle it will be
a limited hack only.
Note, the end result will be the same - just using a different ABI.
So i really think the ABI itself should be closer related to the event code.
What this "seccomp" code does is that it uses specific syscall events to
restrict execution of certain event generating codepaths, such as system calls.
Thanks,
Ingo
next prev parent reply other threads:[~2011-05-12 7:50 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1304017638.18763.205.camel@gandalf.stny.rr.com>
2011-05-12 3:02 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Will Drewry
2011-05-12 7:48 ` Ingo Molnar [this message]
2011-05-12 9:24 ` Kees Cook
2011-05-12 10:49 ` Ingo Molnar
2011-05-12 11:44 ` James Morris
2011-05-12 13:01 ` Ingo Molnar
2011-05-12 16:26 ` Will Drewry
2011-05-16 12:55 ` Ingo Molnar
2011-05-16 14:42 ` Will Drewry
2011-05-13 0:18 ` James Morris
2011-05-13 12:10 ` Ingo Molnar
2011-05-13 12:19 ` Peter Zijlstra
2011-05-13 12:26 ` Ingo Molnar
2011-05-13 12:39 ` Peter Zijlstra
2011-05-13 12:43 ` Peter Zijlstra
2011-05-13 12:54 ` Ingo Molnar
2011-05-13 13:08 ` Peter Zijlstra
2011-05-13 13:18 ` Ingo Molnar
2011-05-13 13:55 ` Peter Zijlstra
2011-05-13 14:57 ` Ingo Molnar
2011-05-13 15:27 ` Peter Zijlstra
2011-05-14 7:05 ` Ingo Molnar
2011-05-16 16:23 ` Steven Rostedt
2011-05-16 16:52 ` Ingo Molnar
2011-05-16 17:03 ` Steven Rostedt
2011-05-17 12:42 ` Ingo Molnar
2011-05-17 13:05 ` Steven Rostedt
2011-05-17 13:19 ` Ingo Molnar
2011-05-19 4:07 ` Will Drewry
2011-05-19 12:22 ` Steven Rostedt
2011-05-19 21:05 ` Will Drewry
2011-05-24 15:59 ` Will Drewry
2011-05-24 16:20 ` Peter Zijlstra
2011-05-24 16:25 ` Thomas Gleixner
2011-05-24 19:00 ` Will Drewry
2011-05-24 19:54 ` Ingo Molnar
2011-05-24 20:10 ` Ingo Molnar
2011-05-25 10:35 ` Thomas Gleixner
2011-05-25 15:01 ` Ingo Molnar
2011-05-25 17:43 ` Peter Zijlstra
2011-05-29 20:17 ` Ingo Molnar
2011-05-25 17:48 ` Thomas Gleixner
2011-05-26 8:43 ` Ingo Molnar
2011-05-26 9:15 ` Ingo Molnar
2011-05-24 20:08 ` Ingo Molnar
2011-05-24 20:14 ` Steven Rostedt
2011-05-13 15:17 ` Eric Paris
2011-05-13 15:29 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system callfiltering David Laight
2011-05-16 12:03 ` Ingo Molnar
2011-05-13 12:49 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Ingo Molnar
2011-05-13 13:55 ` Peter Zijlstra
2011-05-13 15:02 ` Ingo Molnar
2011-05-13 15:10 ` Eric Paris
2011-05-13 15:23 ` Peter Zijlstra
2011-05-13 15:55 ` Eric Paris
2011-05-13 16:29 ` Will Drewry
2011-05-14 7:30 ` Ingo Molnar
2011-05-14 20:57 ` Will Drewry
2011-05-16 12:43 ` Ingo Molnar
2011-05-16 15:29 ` Will Drewry
2011-05-17 12:57 ` Ingo Molnar
2011-05-16 0:36 ` James Morris
2011-05-16 15:08 ` Ingo Molnar
2011-05-17 2:24 ` James Morris
2011-05-17 13:10 ` Ingo Molnar
2011-05-17 13:29 ` James Morris
2011-05-17 18:34 ` Ingo Molnar
2011-05-26 6:27 ` Pavel Machek
2011-05-26 8:35 ` Ingo Molnar
2011-05-12 12:15 ` Frederic Weisbecker
2011-05-12 11:33 ` James Morris
2011-05-13 19:35 ` Arnd Bergmann
2011-05-14 20:58 ` Will Drewry
2011-05-15 6:42 ` Arnd Bergmann
2011-05-16 12:00 ` Ingo Molnar
2011-05-16 15:26 ` Steven Rostedt
2011-05-16 15:28 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110512074850.GA9937@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=agl@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=fweisbec@gmail.com \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=jslaby@suse.cz \
--cc=kees.cook@canonical.com \
--cc=lethal@linux-sh.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux390@de.ibm.com \
--cc=linux@arm.linux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=microblaze-uclinux@itee.uq.edu.au \
--cc=mingo@redhat.com \
--cc=mmarek@suse.cz \
--cc=monstr@monstr.eu \
--cc=oleg@redhat.com \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=ralf@linux-mips.org \
--cc=roland@redhat.com \
--cc=rostedt@goodmis.org \
--cc=schwidefsky@de.ibm.com \
--cc=serge@hallyn.com \
--cc=sparclinux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).