Re: seccomp for 2.6.11-rc1-bk8

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@elte.hu>
To: Andrea Arcangeli <andrea@cpushare.com>
Cc: Andrew Morton <akpm@osdl.org>, linux-kernel@vger.kernel.org
Subject: Re: seccomp for 2.6.11-rc1-bk8
Date: Fri, 21 Jan 2005 13:47:01 +0100	[thread overview]
Message-ID: <20050121124701.GA5179@elte.hu> (raw)
In-Reply-To: <20050121120325.GA2934@elte.hu>


* Ingo Molnar <mingo@elte.hu> wrote:

> > This is the seccomp patch ported to 2.6.11-rc1-bk8, that I need for
> > Cpushare (until trusted computing will hit the hardware market). 
> > [...]
> 
> why do you need any kernel code for this? This seems to be a limited
> ptrace implementation: restricting untrusted userspace code to only be
> able to exec read/write/sigreturn.
> 
> So this patch, unless i'm missing something, duplicates in essence what
> ptrace can do [...]

there's one thing ptrace wont do: if the ptrace parent dies unexpectedly
and the child was 'running' (there is a small window where the child
might not be stopped and where this may happen) then the child can get
runaway. While i think this is theoretical (UML doesnt suffer from this
problem), it is simple to fix - find below a proof-of-concept patch that
introduces PTRACE_ATTACH_JAIL - ptraced children can never escape out of
such a jail. (barely tested - but you get the idea.)

	Ingo

Signed-off-by: Ingo Molnar <mingo@elte.hu>

--- kernel/ptrace.c.orig
+++ kernel/ptrace.c
@@ -49,10 +49,20 @@ void ptrace_untrace(task_t *child)
 {
 	spin_lock(&child->sighand->siglock);
 	if (child->state == TASK_TRACED) {
-		if (child->signal->flags & SIGNAL_STOP_STOPPED) {
+		/*
+		 * Child must be killed if parent dies unexpectedly:
+		 */
+		if (child->signal->flags & SIGNAL_PTRACE_ONLY) {
 			child->state = TASK_STOPPED;
-		} else {
+			spin_unlock(&child->sighand->siglock);
+			force_sig_specific(SIGKILL, child);
 			signal_wake_up(child, 1);
+		} else {
+			if (child->signal->flags & SIGNAL_STOP_STOPPED) {
+				child->state = TASK_STOPPED;
+			} else {
+				signal_wake_up(child, 1);
+			}
 		}
 	}
 	spin_unlock(&child->sighand->siglock);
@@ -117,7 +127,7 @@ int ptrace_check_attach(struct task_stru
 	return ret;
 }
 
-int ptrace_attach(struct task_struct *task)
+static int __ptrace_attach(struct task_struct *task, int jail)
 {
 	int retval;
 	task_lock(task);
@@ -154,8 +164,12 @@ int ptrace_attach(struct task_struct *ta
 
 	write_lock_irq(&tasklist_lock);
 	__ptrace_link(task, current);
+	if (jail) {
+		spin_lock(&task->sighand->siglock);
+		task->signal->flags |= SIGNAL_PTRACE_ONLY;
+		spin_unlock(&task->sighand->siglock);
+	}
 	write_unlock_irq(&tasklist_lock);
-
 	force_sig_specific(SIGSTOP, task);
 	return 0;
 
@@ -164,6 +178,16 @@ bad:
 	return retval;
 }
 
+int ptrace_attach(struct task_struct *task)
+{
+	return __ptrace_attach(task, 0);
+}
+
+int ptrace_attach_jail(struct task_struct *task)
+{
+	return __ptrace_attach(task, 1);
+}
+
 int ptrace_detach(struct task_struct *child, unsigned int data)
 {
 	if ((unsigned long) data > _NSIG)
--- arch/i386/kernel/ptrace.c.orig
+++ arch/i386/kernel/ptrace.c
@@ -388,6 +388,10 @@ asmlinkage int sys_ptrace(long request, 
 		ret = ptrace_attach(child);
 		goto out_tsk;
 	}
+	if (request == PTRACE_ATTACH_JAIL) {
+		ret = ptrace_attach_jail(child);
+		goto out_tsk;
+	}
 
 	ret = ptrace_check_attach(child, request == PTRACE_KILL);
 	if (ret < 0)
--- include/linux/ptrace.h.orig
+++ include/linux/ptrace.h
@@ -18,6 +18,7 @@
 
 #define PTRACE_ATTACH		0x10
 #define PTRACE_DETACH		0x11
+#define PTRACE_ATTACH_JAIL	0x12
 
 #define PTRACE_SYSCALL		  24
 
@@ -79,6 +80,7 @@
 extern int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst, int len);
 extern int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long dst, int len);
 extern int ptrace_attach(struct task_struct *tsk);
+extern int ptrace_attach_jail(struct task_struct *tsk);
 extern int ptrace_detach(struct task_struct *, unsigned int);
 extern void ptrace_disable(struct task_struct *);
 extern int ptrace_check_attach(struct task_struct *task, int kill);
--- include/linux/sched.h.orig
+++ include/linux/sched.h
@@ -338,6 +338,7 @@ struct signal_struct {
 #define SIGNAL_STOP_DEQUEUED	0x00000002 /* stop signal dequeued */
 #define SIGNAL_STOP_CONTINUED	0x00000004 /* SIGCONT since WCONTINUED reap */
 #define SIGNAL_GROUP_EXIT	0x00000008 /* group exit in progress */
+#define SIGNAL_PTRACE_ONLY	0x00000010 /* kill on ptrace parent death */
 
 
 /*

next prev parent reply	other threads:[~2005-01-21 12:48 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-21 10:06 seccomp for 2.6.11-rc1-bk8 Andrea Arcangeli
2005-01-21 12:03 ` Ingo Molnar
2005-01-21 12:47   ` Ingo Molnar [this message]
2005-01-21 12:55     ` Ingo Molnar
2005-01-21 21:31       ` Roland McGrath
2005-01-22  3:25         ` Andrea Arcangeli
2005-01-21 20:24     ` Andrea Arcangeli
2005-01-21 17:39   ` Chris Wright
2005-01-21 18:39     ` Rik van Riel
2005-01-21 18:50       ` Chris Wright
2005-01-21 19:55         ` Ingo Molnar
2005-01-21 20:34           ` Andrea Arcangeli
2005-01-21 20:54             ` Ingo Molnar
2005-01-22  2:51               ` Andrea Arcangeli
2005-01-22 10:32             ` Pavel Machek
2005-01-22 17:25               ` Andrea Arcangeli
2005-01-22 19:42                 ` Pavel Machek
2005-01-22 23:34                   ` Andrea Arcangeli
2005-01-23  0:07                     ` Pavel Machek
2005-01-23  0:46                       ` Andrea Arcangeli
2005-01-23  0:43                     ` Rik van Riel
2005-01-23  0:52                       ` Andrea Arcangeli
2005-01-23  4:43                         ` Valdis.Kletnieks
2005-01-23  6:11                           ` Andrea Arcangeli
2005-01-21 18:59     ` David Wagner
2005-01-21 19:17       ` Chris Wright
2005-01-23  7:34         ` David Wagner
2005-01-24 15:10           ` Daniel Jacobowitz
2005-02-15  9:25           ` Andrea Arcangeli
2005-02-25 19:01             ` David Wagner
2005-01-21 12:11 ` Pavel Machek
2005-02-15  9:32 ` seccomp for 2.6.11-rc4 Andrea Arcangeli
2005-02-16  5:25   ` Herbert Poetzl
2005-02-18  2:25     ` Andrea Arcangeli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050121124701.GA5179@elte.hu \
    --to=mingo@elte.hu \
    --cc=akpm@osdl.org \
    --cc=andrea@cpushare.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox