From: Frederic Weisbecker <fweisbec@gmail.com>
To: Will Drewry <wad@chromium.org>
Cc: Eric Paris <eparis@redhat.com>, Ingo Molnar <mingo@elte.hu>,
linux-kernel@vger.kernel.org, kees.cook@canonical.com,
agl@chromium.org, jmorris@namei.org, rostedt@goodmis.org,
Randy Dunlap <rdunlap@xenotime.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Tom Zanussi <tzanussi@gmail.com>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works.
Date: Tue, 3 May 2011 03:29:00 +0200 [thread overview]
Message-ID: <20110503012857.GA8399@nowhere> (raw)
In-Reply-To: <BANLkTimhWZURqgAXG45=3CG-bNhv+g-Ftg@mail.gmail.com>
On Fri, Apr 29, 2011 at 11:13:44AM -0500, Will Drewry wrote:
> On Fri, Apr 29, 2011 at 8:18 AM, Frederic Weisbecker <fweisbec@gmail.com> wrote:
> > PR_SET_SECCOMP_FILTER_APPLY seems only useful if you think there
> > are other cases than enable_on_exec that would be useful for these
> > filters.
> >
> > We can think about a default enable on exec behaviour as Steve pointed
> > out.
> >
> > But I have no idea if other cases may be desirable to apply these
> > filters.
>
> I nearly have all of the changes in, but I'm still updating my tests.
> In general, I think having both on_exec and now is reasonable is
> because you can write a much tighter filter set if it is embedded in
> the application. E.g., it may load all its shared libraries, which
> you allow, then lock itself down before touching untrusted content.
Well, that makes sense.
> That said, if the default behavior is enable_on_exec, then you'd only
> call PR_SET_SECCOMP_FILTER_APPLY when you want to apply _now_. I like
> that.
It could be the default behaviour, which could be overriden with
PR_SET_SECCOMP_FILTER_APPLY. However I'm wondering about that enable_on_exec.
Say you want to accept only stdin/stdout read/write, and you blocked
mmap, open, etc... How can ld load the app and mmap all its shared libraries?
The filters are going to be applied once the interpreter is launched. This
makes me wonder now about the general usability of this and also about
the relevance in a default enable on exec behaviour here.
>
> That said, I have a general interface question :) Right now I have:
> prctl(PR_SET_SECCOMP, 2, SECCOMP_FILTER_ADD, syscall_nr, filter_string);
> prctl(PR_SET_SECCOMP, 2, SECCOMP_FILTER_DROP, syscall_nr,
> filter_string_or_NULL);
> prctl(PR_SET_SECCOMP, 2, SECCOMP_FILTER_APPLY, apply_flags);
> (I will change this to default to apply_on_exec and let FILTER_APPLY
> make it apply _now_ exclusively. :)
>
> This can easily be mapped to:
> prctl(PR_SET_SECCOMP
> PR_SET_SECOMP_FILTER_ADD
> PR_SET_SECOMP_FILTER_DROP
> PR_SET_SECOMP_FILTER_APPLY
> if that'd be preferable (to keep it all in the prctl.h world).
>
> Following along the suggestion of reducing custom parsing, it seemed
> to make a lot of sense to make add and drop actions very explicit.
> There is no guesswork so a system call filtered process will only be
> able to perform DROP operations (if prctl is allowed) to reduce the
> allowed system calls. This also allows more fine grained flexibility
> in addition to the in-kernel complexity reduction. E.g.,
> Process starts with
> __NR_read, "fd == 1"
> __NR_read, "fd == 2"
> later it can call:
> prctl(PR_SET_SECCOMP, 2, SECCOMP_FILTER_DROP, __NR_read, "fd == 2");
> to drop one of the filters without disabling "fd == 1" reading. (Or
> it could pass in NULL to drop all filters).
Hm, but then you don't let the childs be able to restrict further
what you allowed before.
Say I have foo(int a, int b), and I apply these filters:
__NR_foo, "a == 1";
__NR_foo, "a == 2";
This is basically "a == 1 || a == 2".
Now I apply the filters and I fork. How can the child
(or current task after the filter is applied) restrict
further by only allowing "b == 2", such that with the
inherited parent filters we have:
"(a == 1 || a == 2) && b == 2"
So what you propose seems to me too limited. I'd rather have this:
SECCOMP_FILTER_SET = remove previous filter entirely and set a new one
SECCOMP_FILTER_GET = get the string of the current filter
The rule would be that you can only set a filter that is intersected
with the one that was previously applied.
It means that if you set filter A and you apply it. If you want to set
filter B thereafter, it must be:
A && B
OTOH, as long as you haven't applied A, you can override it as you wish.
Like you can have "A || B" instead. Or you can remove it with "1". Of course
if a previous filter was applied before A, then your new filter must be
concatenated: "previous && (A || B)".
Right? And note in this scheme you can reproduce your DROP trick. If
"A || B" is the current filter applied, then you can restrict B by
doing: "(A || B) && A".
So the role of SECCOMP_FILTER_GET is to get the string that matches
the current applied filter.
The effect of this is infinite of course. If you apply A, then apply
B then you need A && B. If later you want to apply C, then you need
A && B && C, etc...
Does that look sane?
next prev parent reply other threads:[~2011-05-03 1:29 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-28 3:08 [PATCH 2/7] tracing: split out syscall_trace_enter construction Will Drewry
2011-04-28 3:08 ` [PATCH 3/7] seccomp_filter: Enable ftrace-based system call filtering Will Drewry
2011-04-28 13:50 ` Steven Rostedt
2011-04-28 15:30 ` Will Drewry
2011-04-28 16:20 ` Serge E. Hallyn
2011-04-28 16:56 ` Steven Rostedt
2011-04-28 18:02 ` Will Drewry
2011-04-28 14:29 ` Frederic Weisbecker
2011-04-28 15:15 ` Will Drewry
2011-04-28 15:57 ` Frederic Weisbecker
2011-04-28 16:05 ` Will Drewry
2011-04-28 15:12 ` Frederic Weisbecker
2011-04-28 15:20 ` Frederic Weisbecker
2011-04-28 15:29 ` Will Drewry
2011-04-28 16:13 ` Frederic Weisbecker
2011-04-28 16:48 ` Will Drewry
2011-04-28 17:36 ` Frederic Weisbecker
2011-04-28 18:21 ` Will Drewry
2011-04-28 16:28 ` Steven Rostedt
2011-04-28 16:53 ` Will Drewry
2011-04-28 16:55 ` Serge E. Hallyn
2011-04-28 17:16 ` Steven Rostedt
2011-04-28 17:39 ` Serge E. Hallyn
2011-04-28 18:01 ` Will Drewry
2011-04-28 18:21 ` Steven Rostedt
2011-04-28 18:34 ` Will Drewry
2011-04-28 18:54 ` Serge E. Hallyn
2011-04-28 19:07 ` Steven Rostedt
2011-04-28 19:06 ` Steven Rostedt
2011-04-28 18:51 ` Serge E. Hallyn
2011-05-03 8:39 ` Avi Kivity
2011-04-28 3:08 ` [PATCH 4/7] seccomp_filter: add process state reporting Will Drewry
2011-04-28 3:21 ` KOSAKI Motohiro
2011-04-28 3:24 ` Will Drewry
2011-04-28 3:40 ` Al Viro
2011-04-28 3:43 ` Will Drewry
2011-04-28 22:54 ` James Morris
2011-05-02 10:08 ` Will Drewry
2011-05-12 3:04 ` [PATCH 4/5] v2 " Will Drewry
2011-04-28 3:08 ` [PATCH 5/7] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-04-28 7:06 ` Ingo Molnar
2011-04-28 14:56 ` Eric Paris
2011-04-28 18:37 ` Will Drewry
2011-04-29 13:18 ` Frederic Weisbecker
2011-04-29 16:13 ` Will Drewry
2011-05-03 1:29 ` Frederic Weisbecker [this message]
2011-05-03 1:47 ` Frederic Weisbecker
2011-05-04 9:15 ` Will Drewry
2011-05-04 9:29 ` Will Drewry
2011-05-04 17:52 ` Frederic Weisbecker
2011-05-04 18:23 ` Steven Rostedt
2011-05-04 18:30 ` Frederic Weisbecker
2011-05-04 18:46 ` Steven Rostedt
2011-05-05 9:21 ` Will Drewry
2011-05-05 13:14 ` Serge E. Hallyn
2011-05-12 3:20 ` Will Drewry
2011-05-06 11:53 ` Steven Rostedt
2011-05-06 13:35 ` Eric Paris
2011-05-07 1:58 ` Will Drewry
2011-05-12 3:04 ` [PATCH 5/5] v2 " Will Drewry
2011-05-06 16:30 ` [PATCH 5/7] " Eric Paris
2011-05-07 2:11 ` Will Drewry
2011-05-04 12:16 ` Steven Rostedt
2011-05-04 15:54 ` Eric Paris
2011-05-04 16:06 ` Steven Rostedt
2011-05-04 16:22 ` Eric Paris
2011-05-04 16:39 ` Steven Rostedt
2011-05-04 18:02 ` Eric Paris
2011-05-04 17:03 ` Frederic Weisbecker
2011-05-04 17:55 ` Eric Paris
2011-04-28 17:43 ` Serge E. Hallyn
2011-04-28 15:46 ` Randy Dunlap
2011-04-28 18:23 ` Will Drewry
2011-04-28 3:08 ` [PATCH 6/7] include/linux/syscalls.h: add __ layer of macros with return types Will Drewry
2011-04-28 3:08 ` [PATCH 7/7] arch/x86: hook int returning system calls Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110503012857.GA8399@nowhere \
--to=fweisbec@gmail.com \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=agl@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=rdunlap@xenotime.net \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tzanussi@gmail.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox