linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Daniel Borkmann <daniel@iogearbox.net>
To: Kees Cook <keescook@chromium.org>,
	Tycho Andersen <tycho.andersen@canonical.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Will Drewry <wad@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Pavel Emelyanov <xemul@parallels.com>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v8] seccomp, ptrace: add support for dumping seccomp filters
Date: Wed, 21 Oct 2015 22:18:20 +0200	[thread overview]
Message-ID: <5627F30C.5020904@iogearbox.net> (raw)
In-Reply-To: <CAGXu5jL-LMC6SLazLE0UPcffr9cD5Z0ME4ddNjJmBKTx=dXz_A@mail.gmail.com>

On 10/21/2015 10:12 PM, Kees Cook wrote:
> On Wed, Oct 21, 2015 at 12:15 PM, Tycho Andersen
> <tycho.andersen@canonical.com> wrote:
>> Hi Oleg,
>>
>> On Wed, Oct 21, 2015 at 08:51:46PM +0200, Oleg Nesterov wrote:
>>> On 10/20, Tycho Andersen wrote:
>>>>
>>>> Hi Kees, Oleg,
>>>>
>>>> On Tue, Oct 20, 2015 at 10:20:24PM +0200, Oleg Nesterov wrote:
>>>>>
>>>>> No, you can't do copy_to_user() from atomic context. You need to pin this
>>>>> filter, drop the lock/irq, then copy_to_user().
>>>>
>>>> Attached is a patch which addresses this.
>>>
>>> Looks good to me, feel free to add my reviewed-by.
>>>
>>>
>>> a couple of questions, I am just curious...
>>>
>>>> +long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
>>>> +                   void __user *data)
>>>> +{
>>>> +   struct seccomp_filter *filter;
>>>> +   struct sock_fprog_kern *fprog;
>>>> +   long ret;
>>>> +   unsigned long count = 0;
>>>> +
>>>> +   if (!capable(CAP_SYS_ADMIN) ||
>>>> +       current->seccomp.mode != SECCOMP_MODE_DISABLED) {
>>>> +           return -EACCES;
>>>> +   }
>>>> +
>>>> +   spin_lock_irq(&task->sighand->siglock);
>>>> +   if (task->seccomp.mode != SECCOMP_MODE_FILTER) {
>>>> +           ret = -EINVAL;
>>>> +           goto out;
>>>> +   }
>>>> +
>>>> +   filter = task->seccomp.filter;
>>>> +   while (filter) {
>>>> +           filter = filter->prev;
>>>> +           count++;
>>>> +   }
>>>> +
>>>> +   if (filter_off >= count) {
>>>> +           ret = -ENOENT;
>>>> +           goto out;
>>>> +   }
>>>> +   count -= filter_off;
>>>> +
>>>> +   filter = task->seccomp.filter;
>>>> +   while (filter && count > 1) {
>>>> +           filter = filter->prev;
>>>> +           count--;
>>>> +   }
>>>> +
>>>> +   if (WARN_ON(count != 1)) {
>>>> +           /* The filter tree shouldn't shrink while we're using it. */
>>>> +           ret = -ENOENT;
>>>
>>> Yes. but this looks a bit confusing. If we want this WARN_ON() check
>>> because we are paranoid, then we should do
>>>
>>>        WARN_ON(count != 1 || filter);
>>
>> I guess you mean !filter here? We want filter to be non-null, because
>> we use it later.
>>
>>> And "while we're using it" look misleading, we rely on ->siglock.
>>>
>>> Plus if we could be shrinked the additional check can't help anyway,
>>> we can used the free filter. So I don't really understand this check
>>> and "filter != NULL" in the previous "while (filter && count > 1)".
>>> Nevermind...
>>
>> Just paranoia. You're right that we could get rid of WARN_ON and the
>> null check. I can send an updated patch to drop these bits if
>> necessary. Kees?
>
> I like being really paranoid when dealing with the filters. Let's keep
> the WARN_ON (with the "|| !filter" added) but maybe wrap it in
> "unlikely"?

Btw, the conditions inside the WARN_ON() macro would already resolve
to unlikely().

Best,
Daniel

  reply	other threads:[~2015-10-21 20:18 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-20 19:50 v8 of seccomp filter c/r Tycho Andersen
2015-10-20 19:50 ` [PATCH v8] seccomp, ptrace: add support for dumping seccomp filters Tycho Andersen
2015-10-20 20:20   ` Oleg Nesterov
2015-10-20 20:26     ` Kees Cook
2015-10-20 20:37       ` Tycho Andersen
2015-10-20 22:08     ` Tycho Andersen
2015-10-21 18:51       ` Oleg Nesterov
2015-10-21 19:15         ` Tycho Andersen
2015-10-21 20:12           ` Kees Cook
2015-10-21 20:18             ` Daniel Borkmann [this message]
2015-10-21 20:37               ` Tycho Andersen
2015-10-21 21:07           ` Oleg Nesterov
2015-10-21 21:20             ` Kees Cook
2015-10-21 21:33             ` Tycho Andersen
2015-10-25 15:39               ` Oleg Nesterov
2015-10-26  6:46                 ` Kees Cook
2015-10-26  7:07                   ` Kees Cook
2015-10-27  0:04                     ` Tycho Andersen
2015-10-27  0:17                       ` Daniel Borkmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5627F30C.5020904@iogearbox.net \
    --to=daniel@iogearbox.net \
    --cc=ast@kernel.org \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=oleg@redhat.com \
    --cc=serge.hallyn@ubuntu.com \
    --cc=tycho.andersen@canonical.com \
    --cc=wad@chromium.org \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).