From: "Markus Gutschke (顧孟勤)" <markus@google.com>
To: Roland McGrath <roland@redhat.com>
Cc: linux-mips@linux-mips.org,
Andrew Morton <akpm@linux-foundation.org>,
x86@kernel.org, linux-kernel@vger.kernel.org,
linuxppc-dev@ozlabs.org, sparclinux@vger.kernel.org,
Ingo Molnar <mingo@elte.hu>,
Linus Torvalds <torvalds@linux-foundation.org>,
stable@kernel.org
Subject: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole
Date: Thu, 7 May 2009 01:01:21 -0700 [thread overview]
Message-ID: <904b25810905070101u5abad0dagf8642a6950b1911@mail.gmail.com> (raw)
In-Reply-To: <20090507070312.DCC5EFC39E@magilla.sf.frob.com>
On Thu, May 7, 2009 at 00:03, Roland McGrath <roland@redhat.com> wrote:
>
> That is not a "ptrace problem" per se at all. =C2=A0It's an intrinsic pro=
blem
> with any method based on "generic" syscall interception, if the filtering
> and enforcement decisions depend on examining user memory.
Yes, this is indeed the main problem that we are aware of. It can be
avoided by suspending all threads during user memory inspection, but
that's a horrible price to pay (also: see below for an alternative
approach, that could in principle be adapted to use with ptrace)
> The only reason seccomp does not have this "reliability problem" is that
> its filtering is trivial and depends only on registers (in fact, only on
> one register, the syscall number).
Simplicity is really the beauty of seccomp. It is very easy to verify
that it does the right thing from a security point of view, because
any attempt to call unsafe system calls results in the kernel
terminating the program. This is much preferable over most ptrace
solutions which is more difficult to audit for correctness.
The downside is that the sandbox'd code needs to delegate execution of
most of its system calls to a monitor process. This is slow and rather
awkward. Although due to the magic of clone(), (almost) all system
calls can in fact be serialized, sent to the monitor process, have
their arguments safely inspected, and then executed on behalf of the
sandbox'd process. Details are tedious but we believe they are
solvable with current kernel APIs.
The other issue is performance. For system calls that are known to be
safe, we would rather not pay the penalty of redirecting them. A
kernel patch that made seccomp more efficient for these system calls
would be very welcome, and we will post such a patch for discussion
shortly.
> If you want to do checks that depend on shared or volatile state, then
> syscall interception is really not the proper mechanism for you.
We agree that syscall interception is a poor abstraction level for a
sandbox. But in the short term, we need to work with the APIs that are
available in today's kernels. And we believe that seccomp is one of
the more promising API that are currently available to us.
Markus
next prev parent reply other threads:[~2009-05-07 8:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090228030226.C0D34FC3DA@magilla.sf.frob.com>
[not found] ` <20090228030413.5B915FC3DA@magilla.sf.frob.com>
[not found] ` <alpine.LFD.2.00.0902271932520.3111@localhost.localdomain>
[not found] ` <alpine.LFD.2.00.0902271948570.3111@localhost.localdomain>
2009-02-28 7:25 ` [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole Roland McGrath
2009-02-28 7:31 ` Ingo Molnar
2009-02-28 7:36 ` Roland McGrath
2009-02-28 17:23 ` Linus Torvalds
2009-02-28 17:46 ` [stable] " Greg KH
2009-02-28 17:54 ` Arjan van de Ven
2009-02-28 18:23 ` Greg KH
2009-02-28 20:27 ` Greg KH
2009-02-28 21:09 ` Benjamin Herrenschmidt
2009-03-02 1:44 ` Roland McGrath
2009-05-06 18:42 ` Markus Gutschke
2009-05-06 18:46 ` Markus Gutschke (顧孟勤)
2009-05-06 21:29 ` Ingo Molnar
2009-05-06 21:46 ` Markus Gutschke (顧孟勤)
2009-05-06 21:54 ` Ingo Molnar
2009-05-06 22:08 ` Markus Gutschke (顧孟勤)
2009-05-06 22:13 ` Ingo Molnar
2009-05-06 22:21 ` Markus Gutschke (顧孟勤)
2009-05-07 4:23 ` Nicholas Miell
2009-05-07 10:11 ` Ingo Molnar
2009-05-10 5:37 ` Pavel Machek
2009-05-08 19:18 ` Andi Kleen
2009-05-07 7:03 ` Roland McGrath
2009-05-07 8:01 ` Markus Gutschke (顧孟勤) [this message]
2009-05-07 7:30 ` Roland McGrath
2009-05-07 7:31 ` Roland McGrath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=904b25810905070101u5abad0dagf8642a6950b1911@mail.gmail.com \
--to=markus@google.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=mingo@elte.hu \
--cc=roland@redhat.com \
--cc=sparclinux@vger.kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).