From: Frederic Weisbecker <fweisbec@gmail.com>
To: Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org, kees.cook@canonical.com,
eparis@redhat.com, agl@chromium.org, mingo@elte.hu,
jmorris@namei.org, rostedt@goodmis.org,
Ingo Molnar <mingo@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Tejun Heo <tj@kernel.org>, Michal Marek <mmarek@suse.cz>,
Oleg Nesterov <oleg@redhat.com>,
Roland McGrath <roland@redhat.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Jiri Slaby <jslaby@suse.cz>, David Howells <dhowells@redhat.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering
Date: Thu, 28 Apr 2011 18:13:07 +0200 [thread overview]
Message-ID: <20110428161304.GG1798@nowhere> (raw)
In-Reply-To: <BANLkTika4xn5SajxGbRtszqyA4R=4y8M6Q@mail.gmail.com>
On Thu, Apr 28, 2011 at 10:29:11AM -0500, Will Drewry wrote:
> On Thu, Apr 28, 2011 at 10:12 AM, Frederic Weisbecker
> <fweisbec@gmail.com> wrote:
> > Instead of having such multiline filter definition with syscall
> > names prepended, it would be nicer to make the parsing simplier.
> >
> > You could have either:
> >
> > prctl(PR_SET_SECCOMP, mode);
> > /* Works only if we are in mode 2 */
> > prctl(PR_SET_SECCOMP_FILTER, syscall_nr, filter);
>
> It'd need to be syscall_name instead of syscall_nr. Otherwise we're
> right back to where Adam's patch was 2+ years ago :) Using the event
> names from the syscalls infrastructure means the consumer of the
> interface doesn't need to be confident of the syscall number.
Is it really a problem? There are libraries that can resolve that. Of
course I can't recall their name.
>
> > or:
> > /*
> > * If mode == 2, set the filter to syscall_nr
> > * Recall this for each syscall that need a filter.
> > * If a filter was previously set on the targeted syscall,
> > * it will be overwritten.
> > */
> > prctl(PR_SET_SECCOMP, mode, syscall_nr, filter);
> >
> > One can erase a previous filter by setting the new filter "1".
> >
> > Also, instead of having a bitmap of syscall to accept. You could
> > simply set "0" as a filter to those you want to deactivate:
> >
> > prctl(PR_SET_SECCOMP, 2, 1, 0); <- deactivate the syscall_nr 1
> >
> > Hm?
>
> I like the simplicity in not needing to parse anything extra, but it
> does add the need for extra state - either a bit or a new field - to
> represent "enabled/enforcing".
And by the way I'm really puzzled about these. I don't understand
well why we need this.
As for the enable_on_next_syscall. The documentation says
it's useful if you want the filter to only apply to the
child. So if fork immediately follows, you will be able to fork
but if the child doesn't have the right to exec, it won't be able
to do so. Same for the mmap() that involves...
So I'm a bit confused about that.
But yeah if that's really needed, it looks to me better to
reduce the parsing and cut it that way:
prctl(PR_SET_SECCOMP, 2, syscall_name_or_nr, filter);
prctl(PR_SECCOMP_APPLY_FILTERS, enable_on_next_syscall?)
or something...
>
> The only way to do it without a third mode would be to take a
> blacklist model - where all syscalls are allowed by default and the
> caller has to enumerate them all and drop them. That would definitely
> not be the right approach :)
>
> If a new bit of state was added, it could be used as:
> prctl(PR_SET_SECCOMP, 2);
> prctl(PR_SET_SECCOMP, 2, "sys_read", "fd == 1"); /* add a read filter */
> prctl(PR_SET_SECCOMP, 2, "sys_write", "fd == 0"); /* add a read filter */
> ...
> prctl(PR_SET_SECCOMP, 2, "sys_read", "0"); /* clear the sys_read
> filters and block it */ (or NULL?)
> prctl(PR_SET_SECCOMP, 2, "enable"); /* Start enforcing */
> prctl(PR_SET_SECCOMP, 2, "sys_write", "0"); /* Reduce attack
> surface on the fly */
>
>
> As to the "0" filter instead of a bitmask, would it make sense to just
> cut over to an hlist now and drop the bitmask?
> It looks like perf
> uses that model, and I'd hope it wouldn't incur too much additional
> overhead. (The linked list approach now is certainly not scalable for
> a large number of filters!)
The linked list certainly doesn't scale there. But either a hlist for
everything, or a hlist + bitmap to check if the syscall is enabled,
why not. May be start with a pure hlist for any filters and if performance
issues that really matter are pinpointed, then move the "1" and "0"
implementation to a bitmap.
My guess is that doesn't really matter. If it's "1" then you can
just have an empty set of filters for the syscall and it goes ahead
quickly. If it's "0" then the app fails, which is not what I would
call a fast path.
> If that interface seems sane, I can certainly start exploring it and
> see if I hit any surprises (and put it in the next version of the
> patch :). I think it'll simplify a fair amount of the add/drop code!
Yup.
next prev parent reply other threads:[~2011-04-28 16:13 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-28 3:08 [PATCH 2/7] tracing: split out syscall_trace_enter construction Will Drewry
2011-04-28 3:08 ` [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering Will Drewry
2011-04-28 13:50 ` Steven Rostedt
2011-04-28 15:30 ` Will Drewry
2011-04-28 16:20 ` Serge E. Hallyn
2011-04-28 16:56 ` Steven Rostedt
2011-04-28 18:02 ` Will Drewry
2011-04-28 14:29 ` Frederic Weisbecker
2011-04-28 15:15 ` Will Drewry
2011-04-28 15:57 ` Frederic Weisbecker
2011-04-28 16:05 ` Will Drewry
2011-04-28 15:12 ` Frederic Weisbecker
2011-04-28 15:20 ` Frederic Weisbecker
2011-04-28 15:29 ` Will Drewry
2011-04-28 16:13 ` Frederic Weisbecker [this message]
2011-04-28 16:48 ` Will Drewry
2011-04-28 17:36 ` Frederic Weisbecker
2011-04-28 18:21 ` Will Drewry
2011-04-28 16:28 ` Steven Rostedt
2011-04-28 16:53 ` Will Drewry
2011-04-28 16:55 ` Serge E. Hallyn
2011-04-28 17:16 ` Steven Rostedt
2011-04-28 17:39 ` Serge E. Hallyn
2011-04-28 18:01 ` Will Drewry
2011-04-28 18:21 ` Steven Rostedt
2011-04-28 18:34 ` Will Drewry
2011-04-28 18:54 ` Serge E. Hallyn
2011-04-28 19:07 ` Steven Rostedt
2011-04-28 19:06 ` Steven Rostedt
2011-04-28 18:51 ` Serge E. Hallyn
2011-05-03 8:39 ` Avi Kivity
2011-04-28 3:08 ` [PATCH 4/7] seccomp_filter: add process state reporting Will Drewry
2011-04-28 3:21 ` KOSAKI Motohiro
2011-04-28 3:24 ` Will Drewry
2011-04-28 3:40 ` Al Viro
2011-04-28 3:43 ` Will Drewry
2011-04-28 22:54 ` James Morris
2011-05-02 10:08 ` Will Drewry
2011-05-12 3:04 ` [PATCH 4/5] v2 " Will Drewry
2011-04-28 3:08 ` [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-04-28 7:06 ` Ingo Molnar
2011-04-28 14:56 ` Eric Paris
2011-04-28 18:37 ` Will Drewry
2011-04-29 13:18 ` Frederic Weisbecker
2011-04-29 16:13 ` Will Drewry
2011-05-03 1:29 ` Frederic Weisbecker
2011-05-03 1:47 ` Frederic Weisbecker
2011-05-04 9:15 ` Will Drewry
2011-05-04 9:29 ` Will Drewry
2011-05-04 17:52 ` Frederic Weisbecker
2011-05-04 18:23 ` Steven Rostedt
2011-05-04 18:30 ` Frederic Weisbecker
2011-05-04 18:46 ` Steven Rostedt
2011-05-05 9:21 ` Will Drewry
2011-05-05 13:14 ` Serge E. Hallyn
2011-05-12 3:20 ` Will Drewry
2011-05-06 11:53 ` Steven Rostedt
2011-05-06 13:35 ` Eric Paris
2011-05-07 1:58 ` Will Drewry
2011-05-12 3:04 ` [PATCH 5/5] v2 " Will Drewry
2011-05-06 16:30 ` [PATCH 5/7] " Eric Paris
2011-05-07 2:11 ` Will Drewry
2011-05-04 12:16 ` Steven Rostedt
2011-05-04 15:54 ` Eric Paris
2011-05-04 16:06 ` Steven Rostedt
2011-05-04 16:22 ` Eric Paris
2011-05-04 16:39 ` Steven Rostedt
2011-05-04 18:02 ` Eric Paris
2011-05-04 17:03 ` Frederic Weisbecker
2011-05-04 17:55 ` Eric Paris
2011-04-28 17:43 ` Serge E. Hallyn
2011-04-28 15:46 ` Randy Dunlap
2011-04-28 18:23 ` Will Drewry
2011-04-28 3:08 ` [PATCH 6/7] include/linux/syscalls.h: add __ layer of macros with return types Will Drewry
2011-04-28 3:08 ` [PATCH 7/7] arch/x86: hook int returning system calls Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110428161304.GG1798@nowhere \
--to=fweisbec@gmail.com \
--cc=a.p.zijlstra@chello.nl \
--cc=agl@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=jslaby@suse.cz \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mingo@redhat.com \
--cc=mmarek@suse.cz \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=rostedt@goodmis.org \
--cc=serge@hallyn.com \
--cc=tj@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox