From: Ingo Molnar <mingo@elte.hu>
To: Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org, kees.cook@canonical.com,
eparis@redhat.com, agl@chromium.org, jmorris@namei.org,
rostedt@goodmis.org, "Randy Dunlap" <rdunlap@xenotime.net>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Tom Zanussi" <tzanussi@gmail.com>,
"Frédéric Weisbecker" <fweisbec@gmail.com>,
"Arnaldo Carvalho de Melo" <acme@redhat.com>,
"Peter Zijlstra" <a.p.zijlstra@chello.nl>,
"Thomas Gleixner" <tglx@linutronix.de>
Subject: Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works.
Date: Thu, 28 Apr 2011 09:06:36 +0200 [thread overview]
Message-ID: <20110428070636.GC952@elte.hu> (raw)
In-Reply-To: <1303960136-14298-4-git-send-email-wad@chromium.org>
* Will Drewry <wad@chromium.org> wrote:
> +A collection of filters may be supplied via prctl, and the current set of
> +filters is exposed in /proc/<pid>/seccomp_filter.
> +
> +For instance,
> + const char filters[] =
> + "sys_read: (fd == 1) || (fd == 2)\n"
> + "sys_write: (fd == 0)\n"
> + "sys_exit: 1\n"
> + "sys_exit_group: 1\n"
> + "on_next_syscall: 1";
> + prctl(PR_SET_SECCOMP, 2, filters);
> +
> +This will setup system call filters for read, write, and exit where reading can
> +be done only from fds 1 and 2 and writing to fd 0. The "on_next_syscall" directive tells
> +seccomp to not enforce the ruleset until after the next system call is run. This allows
> +for launchers to apply system call filters to a binary before executing it.
> +
> +Once enabled, the access may only be reduced. For example, a set of filters may be:
> +
> + sys_read: 1
> + sys_write: 1
> + sys_mmap: 1
> + sys_prctl: 1
> +
> +Then it may call the following to drop mmap access:
> + prctl(PR_SET_SECCOMP, 2, "sys_mmap: 0");
Ok, color me thoroughly impressed - AFAICS you implemented my suggestions in:
http://lwn.net/Articles/332974/
and you made it work in practice!
We could split out the ftrace filter engine some more and make it more
independent of ftrace. It's basically an in-kernel interpreter able to run off
tracepoints.
I've Cc:-ed Linus and Andrew: are you guys opposed to such flexible, dynamic
filters conceptually? I think we should really think hard about the actual ABI
as this could easily spread to more applications than Chrome/Chromium.
Btw., i also think that such an approach is actually the sane(r) design to
implement security modules: using such filters is far more flexible than the
typical LSM approach of privileged user-space uploading various nasty objects
into kernel space and implementing silly (and limited and intrusive) hooks
there, like SElinux and the other security modules do.
This approach also has the ability to become recursive (gets inherited by child
tasks, which could add their own filters) and unprivileged - unlike LSMs.
I like this *a lot* more than any security sandboxing approach i've seen
before.
Thanks,
Ingo
next prev parent reply other threads:[~2011-04-28 7:07 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-28 3:08 [PATCH 2/7] tracing: split out syscall_trace_enter construction Will Drewry
2011-04-28 3:08 ` [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering Will Drewry
2011-04-28 13:50 ` Steven Rostedt
2011-04-28 15:30 ` Will Drewry
2011-04-28 16:20 ` Serge E. Hallyn
2011-04-28 16:56 ` Steven Rostedt
2011-04-28 18:02 ` Will Drewry
2011-04-28 14:29 ` Frederic Weisbecker
2011-04-28 15:15 ` Will Drewry
2011-04-28 15:57 ` Frederic Weisbecker
2011-04-28 16:05 ` Will Drewry
2011-04-28 15:12 ` Frederic Weisbecker
2011-04-28 15:20 ` Frederic Weisbecker
2011-04-28 15:29 ` Will Drewry
2011-04-28 16:13 ` Frederic Weisbecker
2011-04-28 16:48 ` Will Drewry
2011-04-28 17:36 ` Frederic Weisbecker
2011-04-28 18:21 ` Will Drewry
2011-04-28 16:28 ` Steven Rostedt
2011-04-28 16:53 ` Will Drewry
2011-04-28 16:55 ` Serge E. Hallyn
2011-04-28 17:16 ` Steven Rostedt
2011-04-28 17:39 ` Serge E. Hallyn
2011-04-28 18:01 ` Will Drewry
2011-04-28 18:21 ` Steven Rostedt
2011-04-28 18:34 ` Will Drewry
2011-04-28 18:54 ` Serge E. Hallyn
2011-04-28 19:07 ` Steven Rostedt
2011-04-28 19:06 ` Steven Rostedt
2011-04-28 18:51 ` Serge E. Hallyn
2011-05-03 8:39 ` Avi Kivity
2011-04-28 3:08 ` [PATCH 4/7] seccomp_filter: add process state reporting Will Drewry
2011-04-28 3:21 ` KOSAKI Motohiro
2011-04-28 3:24 ` Will Drewry
2011-04-28 3:40 ` Al Viro
2011-04-28 3:43 ` Will Drewry
2011-04-28 22:54 ` James Morris
2011-05-02 10:08 ` Will Drewry
2011-05-12 3:04 ` [PATCH 4/5] v2 " Will Drewry
2011-04-28 3:08 ` [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-04-28 7:06 ` Ingo Molnar [this message]
2011-04-28 14:56 ` Eric Paris
2011-04-28 18:37 ` Will Drewry
2011-04-29 13:18 ` Frederic Weisbecker
2011-04-29 16:13 ` Will Drewry
2011-05-03 1:29 ` Frederic Weisbecker
2011-05-03 1:47 ` Frederic Weisbecker
2011-05-04 9:15 ` Will Drewry
2011-05-04 9:29 ` Will Drewry
2011-05-04 17:52 ` Frederic Weisbecker
2011-05-04 18:23 ` Steven Rostedt
2011-05-04 18:30 ` Frederic Weisbecker
2011-05-04 18:46 ` Steven Rostedt
2011-05-05 9:21 ` Will Drewry
2011-05-05 13:14 ` Serge E. Hallyn
2011-05-12 3:20 ` Will Drewry
2011-05-06 11:53 ` Steven Rostedt
2011-05-06 13:35 ` Eric Paris
2011-05-07 1:58 ` Will Drewry
2011-05-12 3:04 ` [PATCH 5/5] v2 " Will Drewry
2011-05-06 16:30 ` [PATCH 5/7] " Eric Paris
2011-05-07 2:11 ` Will Drewry
2011-05-04 12:16 ` Steven Rostedt
2011-05-04 15:54 ` Eric Paris
2011-05-04 16:06 ` Steven Rostedt
2011-05-04 16:22 ` Eric Paris
2011-05-04 16:39 ` Steven Rostedt
2011-05-04 18:02 ` Eric Paris
2011-05-04 17:03 ` Frederic Weisbecker
2011-05-04 17:55 ` Eric Paris
2011-04-28 17:43 ` Serge E. Hallyn
2011-04-28 15:46 ` Randy Dunlap
2011-04-28 18:23 ` Will Drewry
2011-04-28 3:08 ` [PATCH 6/7] include/linux/syscalls.h: add __ layer of macros with return types Will Drewry
2011-04-28 3:08 ` [PATCH 7/7] arch/x86: hook int returning system calls Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110428070636.GC952@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=agl@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=fweisbec@gmail.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tzanussi@gmail.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox