From: Avi Kivity <avi@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Kees Cook <kees.cook@canonical.com>,
Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <peterz@infradead.org>,
Will Drewry <wad@chromium.org>,
Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org, gnatapov@redhat.com,
Chris Wright <chrisw@sous-sol.org>,
Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering
Date: Thu, 26 May 2011 09:08:20 +0300 [thread overview]
Message-ID: <4DDDEE54.4000409@redhat.com> (raw)
In-Reply-To: <alpine.LRH.2.00.1105261034200.29690@tundra.namei.org>
On 05/26/2011 04:19 AM, James Morris wrote:
> On Wed, 25 May 2011, Linus Torvalds wrote:
>
> > And per-system-call permissions are very dubious. What system calls
> > don't you want to succeed? That ioctl? You just made it impossible to
> > do a modern graphical application. Yet the kind of thing where we
> > would _want_ to help users is in making it easier to sandbox something
> > like the adobe flash player. But without accelerated direct rendering,
> > that's not going to fly, is it?
>
> Going back to the initial idea proposed by Will, where seccomp is simply
> extended to filter all syscalls, there is potential benefit in being able
> to limit the attack surface of the syscall API.
>
> This is not security mediation in terms of interaction between things
> (e.g. "allow A to read B"). It's a _hardening_ feature which prevents a
> process from being able to invoke potentially hundreds of syscalls is has
> no need for. It would allow us to usefully restrict some well-established
> attack modes, e.g. triggering bugs in kernel code via unneeded syscalls.
>
> This is orthogonal to access control schemes (such as SELinux), which are
> about mediating security-relevant interactions between objects.
>
> One area of possible use is KVM/Qemu, where processes now contain entire
> operating systems, and the attack surface between them is now much broader
> e.g. a local unprivileged vulnerability is now effectively a 'remote' full
> system compromise.
>
> There has been some discussion of this within the KVM project. Using the
> existing seccomp facility is problematic in that it requires significant
> reworking of Qemu to a privsep model, which would also then incur a likely
> unacceptable context switching overhead. The generalized seccomp filter
> as proposed by Will would provide a significant reduction in exposed
> syscalls and thus guest->host attack surface.
>
> I've cc'd some KVM folk for more input on how this may or may not meet
> their requirements -- Avi/Gleb, there's a background writeup here:
> http://lwn.net/Articles/442569/ . We may need a proof of concept and/or
> commitment to use this feature for it to be accepted upstream.
Indeed are were looking at sandboxing as a means to mitigate the "guest
exploits qemu, proceeds to exploit host syscall interface" scenario, and
evolved seccomp looks like the best tradeoff in terms of security gains
vs effort needed.
Eric Paris (copied) prototyped this with his own version of enhanced
seccomp and achieved pretty good results, so a proof of concept will be
quite easy to provide.
Regarding dynamic filtering, the biggest question here is how this will
interact with hotplug, which requires new files to be opened in the
sandboxed process (or SCM_RIGHTed in). Any fd-based filtering will
defeat that, so we'll need some way for a privileged monitor to adjust
filters.
--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.
next prev parent reply other threads:[~2011-05-26 6:08 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1305563026.5456.19.camel@gandalf.stny.rr.com>
[not found] ` <20110516165249.GB10929@elte.hu>
[not found] ` <1305565422.5456.21.camel@gandalf.stny.rr.com>
[not found] ` <20110517124212.GB21441@elte.hu>
[not found] ` <1305637528.5456.723.camel@gandalf.stny.rr.com>
[not found] ` <20110517131902.GF21441@elte.hu>
[not found] ` <BANLkTikBK3-KZ10eErQ6Eex_L6Qe2aZang@mail.gmail.com>
[not found] ` <1305807728.11267.25.camel@gandalf.stny.rr.com>
[not found] ` <BANLkTiki8aQJbFkKOFC+s6xAEiuVyMM5MQ@mail.gmail.com>
[not found] ` <BANLkTim9UyYAGhg06vCFLxkYPX18cPymEQ@mail.gmail.com>
[not found] ` <20110524200815.GD27634@elte.hu>
2011-05-24 20:25 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Kees Cook
2011-05-25 19:09 ` Ingo Molnar
2011-05-25 16:40 ` Will Drewry
[not found] ` <1306254027.18455.47.camel@twins>
[not found] ` <20110524195435.GC27634@elte.hu>
[not found] ` <alpine.LFD.2.02.1105242239230.3078@ionos>
[not found] ` <20110525150153.GE29179@elte.hu>
[not found] ` <alpine.LFD.2.02.1105251836030.3078@ionos>
2011-05-25 18:01 ` Kees Cook
2011-05-25 18:42 ` Linus Torvalds
2011-05-25 19:06 ` Ingo Molnar
2011-05-25 19:54 ` Will Drewry
2011-05-25 19:11 ` Kees Cook
2011-05-25 20:01 ` Linus Torvalds
2011-05-25 20:19 ` Ingo Molnar
2011-06-09 9:00 ` Sven Anders
2011-05-26 14:37 ` Colin Walters
2011-05-26 15:03 ` Linus Torvalds
2011-05-26 15:28 ` Colin Walters
2011-05-26 16:33 ` Will Drewry
2011-05-26 16:46 ` Linus Torvalds
2011-05-26 17:02 ` Will Drewry
2011-05-26 17:04 ` Will Drewry
2011-05-26 17:17 ` Linus Torvalds
2011-05-26 17:38 ` Will Drewry
2011-05-26 18:33 ` Linus Torvalds
2011-05-26 18:47 ` Ingo Molnar
2011-05-26 19:05 ` david
2011-05-26 19:09 ` Eric Paris
2011-05-26 19:46 ` Ingo Molnar
2011-05-26 19:49 ` david
2011-05-26 18:49 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 01/13] tracing: split out filter initialization and clean up Will Drewry
2011-06-01 3:10 ` [PATCH v3 02/13] tracing: split out syscall_trace_enter construction Will Drewry
2011-06-01 7:00 ` Ingo Molnar
2011-06-01 17:15 ` Will Drewry
2011-06-02 14:29 ` Ingo Molnar
2011-06-02 15:18 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 03/13] seccomp_filters: new mode with configurable syscall filters Will Drewry
2011-06-02 17:36 ` Paul E. McKenney
2011-06-02 18:14 ` Will Drewry
2011-06-02 19:42 ` Paul E. McKenney
2011-06-02 20:28 ` Will Drewry
2011-06-02 20:46 ` Steven Rostedt
2011-06-02 21:12 ` Paul E. McKenney
2011-06-01 3:10 ` [PATCH v3 04/13] seccomp_filter: add process state reporting Will Drewry
2011-06-01 3:10 ` [PATCH v3 05/13] seccomp_filter: Document what seccomp_filter is and how it works Will Drewry
2011-06-01 21:23 ` Kees Cook
2011-06-01 23:03 ` Will Drewry
2011-06-01 3:10 ` [PATCH v3 06/13] x86: add HAVE_SECCOMP_FILTER and seccomp_execve Will Drewry
2011-06-01 3:10 ` [PATCH v3 07/13] arm: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-01 3:10 ` [PATCH v3 08/13] microblaze: select HAVE_SECCOMP_FILTER and provide seccomp_execve Will Drewry
2011-06-01 5:37 ` Michal Simek
2011-06-01 3:10 ` [PATCH v3 09/13] mips: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 10/13] s390: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 11/13] powerpc: " Will Drewry
2011-06-01 3:10 ` [PATCH v3 12/13] sparc: " Will Drewry
2011-06-01 3:35 ` David Miller
2011-06-01 3:10 ` [PATCH v3 13/13] sh: select HAVE_SECCOMP_FILTER Will Drewry
2011-06-02 5:27 ` Paul Mundt
2011-05-26 17:38 ` [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering Valdis.Kletnieks
2011-05-26 18:08 ` Will Drewry
2011-05-26 18:22 ` Valdis.Kletnieks
2011-05-26 17:07 ` Steven Rostedt
2011-05-26 18:43 ` Casey Schaufler
2011-05-26 18:54 ` Steven Rostedt
2011-05-26 18:34 ` david
2011-05-26 18:54 ` Ingo Molnar
2011-05-26 1:19 ` James Morris
2011-05-26 6:08 ` Avi Kivity [this message]
2011-05-26 8:24 ` Ingo Molnar
2011-05-26 8:35 ` Pekka Enberg
2011-05-26 8:49 ` Avi Kivity
2011-05-26 8:57 ` Pekka Enberg
[not found] ` <20110526085939.GG29458@redhat.com>
2011-05-26 10:38 ` Ingo Molnar
2011-05-26 10:46 ` Avi Kivity
2011-05-26 10:46 ` Gleb Natapov
2011-05-26 11:11 ` Ingo Molnar
2011-05-26 9:30 ` Ingo Molnar
2011-05-26 9:48 ` Ingo Molnar
2011-05-26 11:02 ` Avi Kivity
2011-05-26 11:16 ` Ingo Molnar
2011-05-26 10:56 ` Avi Kivity
2011-05-26 11:38 ` Ingo Molnar
2011-05-26 18:06 ` Avi Kivity
2011-05-26 18:15 ` Ingo Molnar
2011-05-26 18:20 ` Avi Kivity
2011-05-26 18:36 ` Ingo Molnar
2011-05-26 18:43 ` Valdis.Kletnieks
2011-05-26 18:50 ` Ingo Molnar
2011-05-26 18:22 ` Peter Zijlstra
2011-05-26 18:38 ` Ingo Molnar
2011-05-27 0:12 ` James Morris
2011-05-29 16:51 ` Aneesh Kumar K.V
2011-05-29 17:02 ` Linus Torvalds
2011-05-29 18:23 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDDEE54.4000409@redhat.com \
--to=avi@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=eparis@redhat.com \
--cc=gnatapov@redhat.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox