From: Kees Cook <kees.cook@canonical.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <peterz@infradead.org>,
Will Drewry <wad@chromium.org>,
Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Date: Wed, 25 May 2011 11:01:00 -0700 [thread overview]
Message-ID: <20110525180100.GY19633@outflux.net> (raw)
In-Reply-To: <alpine.LFD.2.02.1105251836030.3078@ionos>
Hi,
On Wed, May 25, 2011 at 07:48:51PM +0200, Thomas Gleixner wrote:
> On Wed, 25 May 2011, Ingo Molnar wrote:
> > * Thomas Gleixner <tglx@linutronix.de> wrote:
> > > On Tue, 24 May 2011, Ingo Molnar wrote:
> > > > * Peter Zijlstra <peterz@infradead.org> wrote:
> > > >
> > > > > On Tue, 2011-05-24 at 10:59 -0500, Will Drewry wrote:
> > > > > > include/linux/ftrace_event.h | 4 +-
> > > > > > include/linux/perf_event.h | 10 +++++---
> > > > > > kernel/perf_event.c | 49 +++++++++++++++++++++++++++++++++++++---
> > > > > > kernel/seccomp.c | 8 ++++++
> > > > > > kernel/trace/trace_syscalls.c | 27 +++++++++++++++++-----
> > > > > > 5 files changed, 82 insertions(+), 16 deletions(-)
> > > > >
> > > > > I strongly oppose to the perf core being mixed with any sekurity voodoo
> > > > > (or any other active role for that matter).
> > > >
> > > > I'd object to invisible side-effects as well, and vehemently so. But note how
> > > > intelligently it's used here: it's explicit in the code, it's used explicitly
> > > > in kernel/seccomp.c and the event generation place in
> > > > kernel/trace/trace_syscalls.c.
> > > >
> > > > So this is a really flexible solution IMO and does not extend events with some
> > > > invisible 'active' role. It extends the *call site* with an open-coded active
> > > > role - which active role btw. already pre-existed.
> > >
> > > We do _NOT_ make any decision based on the trace point so what's the
> > > "pre-existing" active role in the syscall entry code?
> >
> > The seccomp code we are discussing in this thread.
>
> That's proposed code and has absolutely nothing to do with the
> existing trace point semantics.
>
> > > I'm all for code reuse and reuse of interfaces, but this is completely
> > > wrong. Instrumentation and security decisions are two fundamentally
> > > different things and we want them kept separate. Instrumentation is
> > > not meant to make decisions. Just because we can does not mean that it
> > > is a good idea.
> >
> > Instrumentation does not 'make decisions': the calling site, which is
> > already emitting both the event and wants to do decisions based on
> > the data that also generates the event wants to do decisions.
>
> You can repeat that as often as you want, it does not make it more
> true. Fact is that the decision is made in the middle of the perf code.
Can we just go back to the original spec? A lot of people were excited
about the prctl() API as done in Will's earlier patchset, we don't lose the
extremely useful "enable_on_exec" feature, and we can get away from all
this disagreement.
-Kees
--
Kees Cook
Ubuntu Security Team
next prev parent reply other threads:[~2011-05-25 18:01 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1305563026.5456.19.camel@gandalf.stny.rr.com>
[not found] ` <20110516165249.GB10929@elte.hu>
[not found] ` <1305565422.5456.21.camel@gandalf.stny.rr.com>
[not found] ` <20110517124212.GB21441@elte.hu>
[not found] ` <1305637528.5456.723.camel@gandalf.stny.rr.com>
[not found] ` <20110517131902.GF21441@elte.hu>
[not found] ` <BANLkTikBK3-KZ10eErQ6Eex_L6Qe2aZang@mail.gmail.com>
[not found] ` <1305807728.11267.25.camel@gandalf.stny.rr.com>
[not found] ` <BANLkTiki8aQJbFkKOFC+s6xAEiuVyMM5MQ@mail.gmail.com>
[not found] ` <BANLkTim9UyYAGhg06vCFLxkYPX18cPymEQ@mail.gmail.com>
[not found] ` <20110524200815.GD27634@elte.hu>
2011-05-24 20:25 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Kees Cook
2011-05-25 19:09 ` Ingo Molnar
2011-05-25 16:40 ` Will Drewry
[not found] ` <1306254027.18455.47.camel@twins>
[not found] ` <20110524195435.GC27634@elte.hu>
[not found] ` <alpine.LFD.2.02.1105242239230.3078@ionos>
[not found] ` <20110525150153.GE29179@elte.hu>
[not found] ` <alpine.LFD.2.02.1105251836030.3078@ionos>
2011-05-25 18:01 ` Kees Cook [this message]
2011-05-25 18:42 ` Linus Torvalds
2011-05-25 19:06 ` Ingo Molnar
2011-05-25 19:54 ` Will Drewry
2011-05-25 19:11 ` Kees Cook
2011-05-25 20:01 ` Linus Torvalds
2011-05-25 20:19 ` Ingo Molnar
2011-06-09 9:00 ` Sven Anders
2011-05-26 14:37 ` Colin Walters
2011-05-26 15:03 ` Linus Torvalds
2011-05-26 15:28 ` Colin Walters
2011-05-26 16:33 ` Will Drewry
2011-05-26 16:46 ` Linus Torvalds
2011-05-26 17:02 ` Will Drewry
2011-05-26 17:04 ` Will Drewry
2011-05-26 17:17 ` Linus Torvalds
2011-05-26 17:38 ` Will Drewry
2011-05-26 18:33 ` Linus Torvalds
2011-05-26 18:47 ` Ingo Molnar
2011-05-26 19:05 ` david
2011-05-26 19:09 ` Eric Paris
2011-05-26 19:46 ` Ingo Molnar
2011-05-26 19:49 ` david
2011-05-26 18:49 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 01/13] tracing: split out filter initialization and clean up Will Drewry
2011-06-01 3:10 ` [PATCH v3 02/13] tracing: split out syscall_trace_enter construction Will Drewry
2011-06-01 7:00 ` Ingo Molnar
2011-06-01 17:15 ` Will Drewry
2011-06-02 14:29 ` Ingo Molnar
2011-06-02 15:18 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 03/13] seccomp_filters: new mode with configurable syscall filters Will Drewry
2011-06-02 17:36 ` Paul E. McKenney
2011-06-02 18:14 ` Will Drewry
2011-06-02 19:42 ` Paul E. McKenney
2011-06-02 20:28 ` Will Drewry
2011-06-02 20:46 ` Steven Rostedt
2011-06-02 21:12 ` Paul E. McKenney
2011-06-01 3:10 ` [PATCH v3 04/13] seccomp_filter: add process state reporting Will Drewry
2011-06-01 3:10 ` [PATCH v3 05/13] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-06-01 21:23 ` Kees Cook
2011-06-01 23:03 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 06/13] x86: add HAVE_SECCOMP_FILTER and seccomp_execve Will Drewry
2011-06-01 3:10 ` [PATCH v3 07/13] arm: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-01 3:10 ` [PATCH v3 08/13] microblaze: select HAVE_SECCOMP_FILTER and provide seccomp_execve Will Drewry
2011-06-01 5:37 ` Michal Simek
2011-06-01 3:10 ` [PATCH v3 09/13] mips: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 10/13] s390: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 11/13] powerpc: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 12/13] sparc: " Will Drewry
2011-06-01 3:35 ` David Miller
2011-06-01 3:10 ` [PATCH v3 13/13] sh: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-02 5:27 ` Paul Mundt
2011-05-26 17:38 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Valdis.Kletnieks
2011-05-26 18:08 ` Will Drewry
2011-05-26 18:22 ` Valdis.Kletnieks
2011-05-26 17:07 ` Steven Rostedt
2011-05-26 18:43 ` Casey Schaufler
2011-05-26 18:54 ` Steven Rostedt
2011-05-26 18:34 ` david
2011-05-26 18:54 ` Ingo Molnar
2011-05-26 1:19 ` James Morris
2011-05-26 6:08 ` Avi Kivity
2011-05-26 8:24 ` Ingo Molnar
2011-05-26 8:35 ` Pekka Enberg
2011-05-26 8:49 ` Avi Kivity
2011-05-26 8:57 ` Pekka Enberg
[not found] ` <20110526085939.GG29458@redhat.com>
2011-05-26 10:38 ` Ingo Molnar
2011-05-26 10:46 ` Avi Kivity
2011-05-26 10:46 ` Gleb Natapov
2011-05-26 11:11 ` Ingo Molnar
2011-05-26 9:30 ` Ingo Molnar
2011-05-26 9:48 ` Ingo Molnar
2011-05-26 11:02 ` Avi Kivity
2011-05-26 11:16 ` Ingo Molnar
2011-05-26 10:56 ` Avi Kivity
2011-05-26 11:38 ` Ingo Molnar
2011-05-26 18:06 ` Avi Kivity
2011-05-26 18:15 ` Ingo Molnar
2011-05-26 18:20 ` Avi Kivity
2011-05-26 18:36 ` Ingo Molnar
2011-05-26 18:43 ` Valdis.Kletnieks
2011-05-26 18:50 ` Ingo Molnar
2011-05-26 18:22 ` Peter Zijlstra
2011-05-26 18:38 ` Ingo Molnar
2011-05-27 0:12 ` James Morris
2011-05-29 16:51 ` Aneesh Kumar K.V
2011-05-29 17:02 ` Linus Torvalds
2011-05-29 18:23 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110525180100.GY19633@outflux.net \
--to=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox