From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754890AbbIIQOG (ORCPT <rfc822;w@1wt.eu>);
	Wed, 9 Sep 2015 12:14:06 -0400
Received: from www62.your-server.de ([213.133.104.62]:46402 "EHLO
	www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754519AbbIIQOC (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 9 Sep 2015 12:14:02 -0400
Message-ID: <55F05AC5.4000005@iogearbox.net>
Date: Wed, 09 Sep 2015 18:13:57 +0200
From: Daniel Borkmann <daniel@iogearbox.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Andy Lutomirski <luto@amacapital.net>,
        Tycho Andersen <tycho.andersen@canonical.com>
CC: Kees Cook <keescook@chromium.org>, Alexei Starovoitov <ast@kernel.org>,
        Will Drewry <wad@chromium.org>, Oleg Nesterov <oleg@redhat.com>,
        Pavel Emelyanov <xemul@parallels.com>,
        "Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH 1/6] ebpf: add a seccomp program type
References: <1441382664-17437-1-git-send-email-tycho.andersen@canonical.com> <1441382664-17437-2-git-send-email-tycho.andersen@canonical.com> <CALCETrVhmBS+uEjYwCE=CzkXL5C+mysj=Rq=jMD3LTqbZUDD-g@mail.gmail.com>
In-Reply-To: <CALCETrVhmBS+uEjYwCE=CzkXL5C+mysj=Rq=jMD3LTqbZUDD-g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: daniel@iogearbox.net
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 09/04/2015 11:50 PM, Andy Lutomirski wrote:
> On Fri, Sep 4, 2015 at 9:04 AM, Tycho Andersen
[...]
>> +static const struct bpf_func_proto *
>> +seccomp_func_proto(enum bpf_func_id func_id)
>> +{
>> +       /* Right now seccomp eBPF loading doesn't support maps; seccomp filters
>> +        * are considered to be read-only after they're installed, so map fds
>> +        * probably need to be invalidated when a seccomp filter with maps is
>> +        * installed.
>> +        *
>> +        * The rest of these might be reasonable to call from seccomp, so we
>> +        * export them.
>> +        */
>> +       switch (func_id) {
>> +       case BPF_FUNC_ktime_get_ns:
>> +               return &bpf_ktime_get_ns_proto;
>> +       case BPF_FUNC_trace_printk:
>> +               return bpf_get_trace_printk_proto();
>> +       case BPF_FUNC_get_prandom_u32:
>> +               return &bpf_get_prandom_u32_proto;
>
> I don't think we should expose prandom to unprivileged userspace.
> This may be an attack vector.

Agreed, it should not be exposed for unpriv'ed users.