From: Ingo Molnar <mingo@elte.hu>
To: Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org, kees.cook@canonical.com,
torvalds@linux-foundation.org, tglx@linutronix.de,
rostedt@goodmis.org, jmorris@namei.org,
Frederic Weisbecker <fweisbec@gmail.com>,
Ingo Molnar <mingo@redhat.com>
Subject: Re: [PATCH v3 02/13] tracing: split out syscall_trace_enter construction
Date: Thu, 2 Jun 2011 16:29:16 +0200 [thread overview]
Message-ID: <20110602142916.GA18325@elte.hu> (raw)
In-Reply-To: <BANLkTimWvddKkVQA1qOc6KhxPUj8j2dWQg@mail.gmail.com>
* Will Drewry <wad@chromium.org> wrote:
> > If you agree with my observation that filters allow the clean
> > user-space implementation of LSM equivalent security solutions
> > (of which sandboxes are just a *narrow special case*) then please
> > use the main highlevel abstraction we have defined around them:
> > event filters.
>
> I agree that LSM-equivalent security solutions can be moved over to
> an ftrace based infrastructure. However, LSMs and seccomp have
> different semantics. Reducing the kernel attack surface in a
> "sandboxing"-sort-of-way requires a default-deny interface that is
> resilient to kernel changes (like new system calls) without
> immediately degrading robustness. [...]
Correct. Because seccomp is the user of those syscall-surface events
it can use them in such a way - i see no problem there: unknown or
not permitted syscalls get denied for seccomp-mode-2 tasks.
> [...] LSMs provide a fail-open mechanism for taking an active role
> in kernel-defined pinch points. It is possible to implement a
> default-deny LSM, but it requires a "hook" for every security event
> and the addition of a security event results in a hole in the
> not-so-default-deny infrastructure. ftrace + event filters are the
> same.
Well, i only suggested that it's LSM-equivalent security
functionality, i did not suggest that you should implement an LSM in
security/. I do not think the LSM modularization is particularly well
fit for seccomp.
> Based on my observations while exploring the code, it appears that
> the LSM security_* calls could easily become active trace events
> and the LSM infrastructure moved over to use those as tracepoints
> or via event_filters. There will be a need for new predicates for
> the various new types (inode *, etc), and so on. However, the
> trace_sys_enter/__secure_computing model will still be a special
> case.
Yes, and that special event will not go away!
I did not suggest to *replace* those events with the security events.
I suggested to *combine* them - or at least have a model that
smoothly extends to those events as well and does not limit itself to
the syscall surface alone.
We'll want to have both.
But by hardcoding to only those events, and creating a
syscall-numbering special ABI, a wall will be risen between this
implementation and any future enhancement to cover other events. My
suggestion would be to use the event filter approach - that way
there's not a wall but an open door towards future extensions ;-)
Thanks,
Ingo
next prev parent reply other threads:[~2011-06-02 14:29 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1305563026.5456.19.camel@gandalf.stny.rr.com>
[not found] ` <20110516165249.GB10929@elte.hu>
[not found] ` <1305565422.5456.21.camel@gandalf.stny.rr.com>
[not found] ` <20110517124212.GB21441@elte.hu>
[not found] ` <1305637528.5456.723.camel@gandalf.stny.rr.com>
[not found] ` <20110517131902.GF21441@elte.hu>
[not found] ` <BANLkTikBK3-KZ10eErQ6Eex_L6Qe2aZang@mail.gmail.com>
[not found] ` <1305807728.11267.25.camel@gandalf.stny.rr.com>
[not found] ` <BANLkTiki8aQJbFkKOFC+s6xAEiuVyMM5MQ@mail.gmail.com>
[not found] ` <BANLkTim9UyYAGhg06vCFLxkYPX18cPymEQ@mail.gmail.com>
[not found] ` <20110524200815.GD27634@elte.hu>
2011-05-24 20:25 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Kees Cook
2011-05-25 19:09 ` Ingo Molnar
2011-05-25 16:40 ` Will Drewry
[not found] ` <1306254027.18455.47.camel@twins>
[not found] ` <20110524195435.GC27634@elte.hu>
[not found] ` <alpine.LFD.2.02.1105242239230.3078@ionos>
[not found] ` <20110525150153.GE29179@elte.hu>
[not found] ` <alpine.LFD.2.02.1105251836030.3078@ionos>
2011-05-25 18:01 ` Kees Cook
2011-05-25 18:42 ` Linus Torvalds
2011-05-25 19:06 ` Ingo Molnar
2011-05-25 19:54 ` Will Drewry
2011-05-25 19:11 ` Kees Cook
2011-05-25 20:01 ` Linus Torvalds
2011-05-25 20:19 ` Ingo Molnar
2011-06-09 9:00 ` Sven Anders
2011-05-26 14:37 ` Colin Walters
2011-05-26 15:03 ` Linus Torvalds
2011-05-26 15:28 ` Colin Walters
2011-05-26 16:33 ` Will Drewry
2011-05-26 16:46 ` Linus Torvalds
2011-05-26 17:02 ` Will Drewry
2011-05-26 17:04 ` Will Drewry
2011-05-26 17:17 ` Linus Torvalds
2011-05-26 17:38 ` Will Drewry
2011-05-26 18:33 ` Linus Torvalds
2011-05-26 18:47 ` Ingo Molnar
2011-05-26 19:05 ` david
2011-05-26 19:09 ` Eric Paris
2011-05-26 19:46 ` Ingo Molnar
2011-05-26 19:49 ` david
2011-05-26 18:49 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 01/13] tracing: split out filter initialization and clean up Will Drewry
2011-06-01 3:10 ` [PATCH v3 02/13] tracing: split out syscall_trace_enter construction Will Drewry
2011-06-01 7:00 ` Ingo Molnar
2011-06-01 17:15 ` Will Drewry
2011-06-02 14:29 ` Ingo Molnar [this message]
2011-06-02 15:18 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 03/13] seccomp_filters: new mode with configurable syscall filters Will Drewry
2011-06-02 17:36 ` Paul E. McKenney
2011-06-02 18:14 ` Will Drewry
2011-06-02 19:42 ` Paul E. McKenney
2011-06-02 20:28 ` Will Drewry
2011-06-02 20:46 ` Steven Rostedt
2011-06-02 21:12 ` Paul E. McKenney
2011-06-01 3:10 ` [PATCH v3 04/13] seccomp_filter: add process state reporting Will Drewry
2011-06-01 3:10 ` [PATCH v3 05/13] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-06-01 21:23 ` Kees Cook
2011-06-01 23:03 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 06/13] x86: add HAVE_SECCOMP_FILTER and seccomp_execve Will Drewry
2011-06-01 3:10 ` [PATCH v3 07/13] arm: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-01 3:10 ` [PATCH v3 08/13] microblaze: select HAVE_SECCOMP_FILTER and provide seccomp_execve Will Drewry
2011-06-01 5:37 ` Michal Simek
2011-06-01 3:10 ` [PATCH v3 09/13] mips: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 10/13] s390: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 11/13] powerpc: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 12/13] sparc: " Will Drewry
2011-06-01 3:35 ` David Miller
2011-06-01 3:10 ` [PATCH v3 13/13] sh: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-02 5:27 ` Paul Mundt
2011-05-26 17:38 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Valdis.Kletnieks
2011-05-26 18:08 ` Will Drewry
2011-05-26 18:22 ` Valdis.Kletnieks
2011-05-26 17:07 ` Steven Rostedt
2011-05-26 18:43 ` Casey Schaufler
2011-05-26 18:54 ` Steven Rostedt
2011-05-26 18:34 ` david
2011-05-26 18:54 ` Ingo Molnar
2011-05-26 1:19 ` James Morris
2011-05-26 6:08 ` Avi Kivity
2011-05-26 8:24 ` Ingo Molnar
2011-05-26 8:35 ` Pekka Enberg
2011-05-26 8:49 ` Avi Kivity
2011-05-26 8:57 ` Pekka Enberg
[not found] ` <20110526085939.GG29458@redhat.com>
2011-05-26 10:38 ` Ingo Molnar
2011-05-26 10:46 ` Avi Kivity
2011-05-26 10:46 ` Gleb Natapov
2011-05-26 11:11 ` Ingo Molnar
2011-05-26 9:30 ` Ingo Molnar
2011-05-26 9:48 ` Ingo Molnar
2011-05-26 11:02 ` Avi Kivity
2011-05-26 11:16 ` Ingo Molnar
2011-05-26 10:56 ` Avi Kivity
2011-05-26 11:38 ` Ingo Molnar
2011-05-26 18:06 ` Avi Kivity
2011-05-26 18:15 ` Ingo Molnar
2011-05-26 18:20 ` Avi Kivity
2011-05-26 18:36 ` Ingo Molnar
2011-05-26 18:43 ` Valdis.Kletnieks
2011-05-26 18:50 ` Ingo Molnar
2011-05-26 18:22 ` Peter Zijlstra
2011-05-26 18:38 ` Ingo Molnar
2011-05-27 0:12 ` James Morris
2011-05-29 16:51 ` Aneesh Kumar K.V
2011-05-29 17:02 ` Linus Torvalds
2011-05-29 18:23 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110602142916.GA18325@elte.hu \
--to=mingo@elte.hu \
--cc=fweisbec@gmail.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox