From: Andrew Morton <akpm@linux-foundation.org>
To: "Indan Zupancic" <indan@nul.nu>
Cc: "Will Drewry" <wad@chromium.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
x86@kernel.org, arnd@arndb.de, davem@davemloft.net,
hpa@zytor.com, mingo@redhat.com, oleg@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, pmoore@redhat.com, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com, keescook@chromium.org,
jmorris@namei.org
Subject: Re: [PATCH v17 08/15] seccomp: add system call filtering using BPF
Date: Tue, 10 Apr 2012 12:54:43 -0700 [thread overview]
Message-ID: <20120410125443.3ab1a277.akpm@linux-foundation.org> (raw)
In-Reply-To: <67e30a0c8655fc53a92e8138bba9de66.squirrel@webmail.greenhost.nl>
On Mon, 9 Apr 2012 04:22:40 +1000
"Indan Zupancic" <indan@nul.nu> wrote:
> On Sat, April 7, 2012 06:23, Andrew Morton wrote:
> > hm, I'm surprised that we don't have a zero-returning implementation of
> > is_compat_task() when CONFIG_COMPAT=n. Seems silly. Blames Arnd.
>
> It's sneakily hidden at the end of compat.h.
>
> >> +/**
> >> + * get_u32 - returns a u32 offset into data
> >> + * @data: a unsigned 64 bit value
> >> + * @index: 0 or 1 to return the first or second 32-bits
> >> + *
> >> + * This inline exists to hide the length of unsigned long.
> >> + * If a 32-bit unsigned long is passed in, it will be extended
> >> + * and the top 32-bits will be 0. If it is a 64-bit unsigned
> >> + * long, then whatever data is resident will be properly returned.
> >> + */
> >> +static inline u32 get_u32(u64 data, int index)
> >> +{
> >> + return ((u32 *)&data)[index];
> >> +}
> >
> > This seems utterly broken on big-endian machines. If so: fix. If not:
> > add comment explaining why?
>
> It's not a bug, it's intentional.
Well it looks like a bug, which is why I suggest that it be clearly
commented.
> >
> >> + if (total_insns > MAX_INSNS_PER_PATH)
> >> + return -ENOMEM;
> >> +
> >> + /*
> >> + * Installing a seccomp filter requires that the task have
> >> + * CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
> >> + * This avoids scenarios where unprivileged tasks can affect the
> >> + * behavior of privileged children.
> >> + */
> >> + if (!current->no_new_privs &&
> >> + security_capable_noaudit(current_cred(), current_user_ns(),
> >> + CAP_SYS_ADMIN) != 0)
> >> + return -EACCES;
> >> +
> >> + /* Allocate a new seccomp_filter */
> >> + filter = kzalloc(sizeof(struct seccomp_filter) + fp_size, GFP_KERNEL);
> >
> > I think this gives userspace an easy way of causing page allocation
> > failure warnings, by permitting large kmalloc() attempts. Add
> > __GFP_NOWARN?
>
> Max is 32kb. sk_attach_filter() in net/core/filter.c is worse,
> it allocates up to 512kb before even checking the length.
An order-3 allocation attempt is pretty fragile. This will sometimes
fail.
> What about using GFP_USER (and adding __GFP_NOWARN to GFP_USER) instead?
Let's be conventional and use the open-coded __GFP_NOWARN.
__GFP_NOWARN says "this is a big allocation which will sometimes fail
and I have carefully reviewed the failure paths and runtime tested
them".
Please carefully review the failure paths and runtime test them ;)
> >> + /* Check and rewrite the fprog via the skb checker */
> >> + ret = sk_chk_filter(filter->insns, filter->len);
> >> + if (ret)
> >> + goto fail;
> >> +
> >> + /* Check and rewrite the fprog for seccomp use */
> >> + ret = seccomp_chk_filter(filter->insns, filter->len);
> >
> > "check" is spelled "check"!
>
> Yes, it is and he did spell "check" as "Check".
>
> seccomp_chk_filter() mirrors sk_chk_filter(). So it refers to
> "chk", not "check".
bah. Two poor identifiers isn't better than one. Whatever.
next prev parent reply other threads:[~2012-04-10 19:54 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-29 20:01 [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering Will Drewry
2012-03-29 20:01 ` [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Will Drewry
2012-04-06 19:49 ` Andrew Morton
2012-04-06 19:55 ` Andy Lutomirski
2012-04-06 20:47 ` Markus Gutschke
2012-04-06 20:54 ` Andrew Lutomirski
2012-04-06 21:04 ` Markus Gutschke
2012-04-06 21:15 ` Andrew Lutomirski
2012-04-06 21:32 ` Markus Gutschke
2012-04-10 19:12 ` Will Drewry
[not found] ` <1333051320-30872-2-git-send-email-wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
2012-04-06 19:55 ` Andrew Morton
2012-04-06 20:01 ` Andrew Lutomirski
2012-04-06 20:28 ` Jonathan Corbet
2012-04-06 20:37 ` Andrew Lutomirski
2012-04-11 19:31 ` Michael Kerrisk (man-pages)
2012-04-12 0:15 ` Michael Kerrisk (man-pages)
2012-04-12 0:50 ` Andrew Lutomirski
2012-04-16 19:11 ` Rob Landley
2012-04-10 20:37 ` Rob Landley
2012-04-10 19:03 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 02/15] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Will Drewry
2012-03-29 20:01 ` [PATCH v17 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Will Drewry
2012-03-29 20:01 ` [PATCH v17 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-03-29 20:01 ` [PATCH v17 05/15] seccomp: kill the seccomp_t typedef Will Drewry
2012-03-29 20:01 ` [PATCH v17 06/15] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-03-29 20:01 ` [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch Will Drewry
2012-04-06 20:05 ` Andrew Morton
2012-04-09 19:24 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 08/15] seccomp: add system call filtering using BPF Will Drewry
2012-03-31 4:40 ` Vladimir Murzin
2012-03-31 18:14 ` Will Drewry
2012-04-06 20:23 ` Andrew Morton
2012-04-06 20:44 ` Kees Cook
2012-04-06 21:05 ` Andrew Morton
2012-04-06 21:06 ` H. Peter Anvin
2012-04-06 21:09 ` Andrew Morton
2012-04-08 18:22 ` Indan Zupancic
2012-04-09 19:59 ` Will Drewry
2012-04-10 9:48 ` James Morris
2012-04-10 20:00 ` Andrew Morton
2012-04-10 20:16 ` Will Drewry
2012-04-10 10:34 ` Eric Dumazet
2012-04-10 19:54 ` Andrew Morton [this message]
2012-04-10 20:15 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 09/15] seccomp: remove duplicated failure logging Will Drewry
2012-04-06 21:14 ` Andrew Morton
2012-04-09 19:26 ` Will Drewry
2012-04-09 19:32 ` Kees Cook
2012-04-09 19:33 ` Eric Paris
2012-04-09 19:39 ` [kernel-hardening] " Kees Cook
2012-03-29 20:01 ` [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-04-06 21:19 ` Andrew Morton
2012-04-09 19:19 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 11/15] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-03-29 20:01 ` [PATCH v17 12/15] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-03-29 20:01 ` [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-04-06 21:24 ` Andrew Morton
2012-04-09 19:38 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-03-29 20:02 ` [PATCH v17 15/15] Documentation: prctl/seccomp_filter Will Drewry
2012-04-06 21:26 ` Andrew Morton
2012-04-09 19:46 ` Will Drewry
2012-04-09 20:47 ` Markus Gutschke
2012-04-09 20:58 ` Ryan Ware
2012-04-09 22:47 ` Will Drewry
2012-04-10 17:49 ` Ryan Ware
2012-03-29 23:11 ` [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering James Morris
2012-04-06 21:28 ` Andrew Morton
2012-04-09 3:48 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120410125443.3ab1a277.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=indan@nul.nu \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).