From: Nix <nix@esperi.org.uk>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Mark Seaborn <mseaborn@chromium.org>,
linux-kernel@vger.kernel.org,
Markus Gutschke <markus@chromium.org>
Subject: Re: [3.1 REGRESSION] Commit 5cec93c216db77c45f7ce970d46283bcb1933884 breaks the Chromium seccomp sandbox
Date: Mon, 14 Nov 2011 11:41:51 +0000 [thread overview]
Message-ID: <87fwhrj5hc.fsf@spindle.srvr.nix> (raw)
In-Reply-To: <CAObL_7H5Ktva16xTj9QBq6v2k66q5H13Vyvv_Piju6vTiaC9cA@mail.gmail.com> (Andrew Lutomirski's message of "Mon, 14 Nov 2011 00:38:48 -0800")
On 14 Nov 2011, Andrew Lutomirski stated:
> On Sun, Nov 13, 2011 at 10:50 PM, Mark Seaborn <mseaborn@chromium.org> wrote:
>> I think the problem is that seccomp-sandbox attempts to patch the
>> vsyscall page.
I grepped for vsyscall to try to avoid making an idiot of myself like
this. A shame I misspelt it. :/
> The vsyscall code is now:
>
> mov $__NR_whatever %rax
> syscall
> ret
>
> It used to be weirder, but we changed to to avoid breaking things like
> this. The secret is that, if vsyscall=emulate, the vsyscall page is
> not executable and we use the page fault to invoke
> do_emulate_vsyscall. But userspace can't tell it's not executable
> without actually jumping there, and with vsyscall=native, it's just a
> normal syscall.
>
> I'll try to build a sandboxing copy of chromium tomorrow to see if I
> can reproduce it.
If you look at line 909 of seccompsandbox/library.cc (in
http://git.chromium.org/external/seccompsandbox.git) the problem does
indeed jump out at you. That nice manual disassembly using == isn't
going to work anymore. It even helpfully dies with a message saying that
it can't patch the vsyscall page, but the message gets thrown away by
some higher layer.
I suspect we want two functions and something to recognize what the
vsyscall page looks like and choose between them, rather than making
this already tricky function even uglier.
(To build Chromium with sandboxing, the recipe is little more than
making sure you haven't passed in -Dselinux, and starting Chromium with
--enable-seccomp-sandbox. It's turned off by default because it slows
Chromium down, not because it doesn't work. :) )
--
NULL && (void)
next prev parent reply other threads:[~2011-11-14 11:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-14 0:40 [3.1 REGRESSION] Commit 5cec93c216db77c45f7ce970d46283bcb1933884 breaks the Chromium seccomp sandbox Nix
2011-11-14 2:36 ` Andrew Lutomirski
2011-11-14 4:00 ` Andrew Lutomirski
2011-11-14 6:50 ` Mark Seaborn
2011-11-14 8:38 ` Andrew Lutomirski
2011-11-14 11:41 ` Nix [this message]
2011-11-14 16:26 ` Mark Seaborn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fwhrj5hc.fsf@spindle.srvr.nix \
--to=nix@esperi.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mseaborn@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox