From: Tycho Andersen <tycho.andersen@canonical.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
Alexei Starovoitov <ast@kernel.org>,
Will Drewry <wad@chromium.org>, Oleg Nesterov <oleg@redhat.com>,
Pavel Emelyanov <xemul@parallels.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Daniel Borkmann <daniel@iogearbox.net>,
LKML <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Cyrill Gorcunov <gorcunov@parallels.com>
Subject: Re: [PATCH 3/6] ebpf: add a way to dump an eBPF program
Date: Wed, 9 Sep 2015 18:58:53 -0600 [thread overview]
Message-ID: <20150910005853.GG26679@smitten> (raw)
In-Reply-To: <CALCETrVJ1qwBwiB=abCa1G3bf_dqyQroYFLvuZt6WPQsYmJvqA@mail.gmail.com>
On Wed, Sep 09, 2015 at 05:44:06PM -0700, Andy Lutomirski wrote:
> On Wed, Sep 9, 2015 at 5:13 PM, Tycho Andersen
> <tycho.andersen@canonical.com> wrote:
> > On Wed, Sep 09, 2015 at 04:44:24PM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 9, 2015 at 3:34 PM, Tycho Andersen
> >> <tycho.andersen@canonical.com> wrote:
> >> >
> >> > Here's a thought,
> >> >
> >> > The set I'm currently proposing effectively separates the ref-counting
> >> > of the struct seccomp_filter from the struct bpf_prog (by necessity,
> >> > since we're referring to filters from fds). What if we went a little
> >> > futher, and made a copy of each seccomp_filter on fork(), keeping it
> >> > pointed at the same bpf_prog but adding some metadata about how it was
> >> > inherited (tsk->seccomp.filter->inheritence_count++ perhaps). This
> >> > would still require this change:
> >>
> >> Won't that break the tsync mechanism?
> >
> > We'll need the change I posted (is_ancestor comparing the underlying
> > bpf_prog instead of the seccomp_filter), but then I think it'll work.
> > I guess we'll need to do some more bookkeeping when we install filters
> > via TSYNC since each thread would need its own seccomp_filter, and
> > we'd also have to decide whether a filter installed via TSYNC was
> > inherited or not.
> >
> > Am I missing something?
>
> Yes. I don't think that:
>
> int fd = [create an ebpf fd];
> if (fork()) {
> /* Process A */
> seccomp(attach fd);
> ...
> } else {
> /* Process B */
> seccomp(attach fd);
> ...
> }
>
> should result in processes A and B being considered to have the same
> seccomp_filter state. In particular, I eventually want to make the
> seccomp_filter state be considerably more interesting than just the
> bpf program.
>
> There's another severe problem, I think. Suppose that ebpf1 and ebpf2
> are ebpf fds. If processes C and D start out with no filters at all,
> C attaches ebpf1 and ebpf2, and D attaches just ebpf2, then C and D
> are definitely *not* in the same state, and neither is an ancestor of
> the other.
Ah, yes.
> IOW I really do think that seccomp_filter should have identity.
What if we kept a pointer to the seccomp_filter that was inherited on
fork()? Everything "below" that in the tree is not inherited, and
everything above is. Unfortunately, it's not obvious how to restore
this state.
Tycho
next prev parent reply other threads:[~2015-09-10 0:58 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-04 16:04 c/r of seccomp filters via underlying eBPF Tycho Andersen
2015-09-04 16:04 ` [PATCH 1/6] ebpf: add a seccomp program type Tycho Andersen
2015-09-04 20:17 ` Alexei Starovoitov
2015-09-04 21:09 ` Tycho Andersen
2015-09-04 20:34 ` Kees Cook
2015-09-04 21:06 ` Tycho Andersen
2015-09-04 21:08 ` Kees Cook
2015-09-09 15:50 ` Tycho Andersen
2015-09-09 16:07 ` Alexei Starovoitov
2015-09-09 16:09 ` Daniel Borkmann
2015-09-09 16:37 ` Kees Cook
2015-09-09 16:52 ` Alexei Starovoitov
2015-09-09 17:27 ` Kees Cook
2015-09-09 17:31 ` Tycho Andersen
2015-09-09 16:07 ` Daniel Borkmann
2015-09-04 21:50 ` Andy Lutomirski
2015-09-09 16:13 ` Daniel Borkmann
2015-09-04 16:04 ` [PATCH 2/6] seccomp: make underlying bpf ref counted as well Tycho Andersen
2015-09-04 21:53 ` Andy Lutomirski
2015-09-04 16:04 ` [PATCH 3/6] ebpf: add a way to dump an eBPF program Tycho Andersen
2015-09-04 20:17 ` Kees Cook
2015-09-04 20:45 ` Tycho Andersen
2015-09-04 20:50 ` Kees Cook
2015-09-04 20:58 ` Alexei Starovoitov
2015-09-04 21:00 ` Tycho Andersen
2015-09-04 21:48 ` Andy Lutomirski
2015-09-04 22:28 ` Tycho Andersen
2015-09-04 23:08 ` Andy Lutomirski
2015-09-05 0:27 ` Tycho Andersen
2015-09-09 22:34 ` Tycho Andersen
2015-09-09 23:44 ` Andy Lutomirski
2015-09-10 0:13 ` Tycho Andersen
2015-09-10 0:44 ` Andy Lutomirski
2015-09-10 0:58 ` Tycho Andersen [this message]
2015-09-04 23:27 ` Kees Cook
2015-09-05 0:08 ` Andy Lutomirski
2015-09-04 20:27 ` Alexei Starovoitov
2015-09-04 20:42 ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 4/6] seccomp: add a way to access filters via bpf fds Tycho Andersen
2015-09-04 20:26 ` Kees Cook
2015-09-04 20:29 ` Alexei Starovoitov
2015-09-04 20:58 ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 5/6] seccomp: add a way to attach a filter via eBPF fd Tycho Andersen
2015-09-04 20:40 ` Alexei Starovoitov
[not found] ` <1441382664-17437-6-git-send-email-tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2015-09-04 20:41 ` Kees Cook
[not found] ` <CAGXu5jKke44txdYqEgPRrkn8SyWGjJuHxT2qMdq2ztp_16mQyw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-05 7:13 ` Michael Kerrisk (man-pages)
[not found] ` <55EA95FE.7000006-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-09-08 13:40 ` Tycho Andersen
2015-09-09 0:07 ` Kees Cook
[not found] ` <CAGXu5jKS0yX92XXhL6ZkqMrxkqFpPyyBd7wbsvEEx4rqZ0VG6g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-09 14:47 ` Tycho Andersen
2015-09-09 15:14 ` Alexei Starovoitov
[not found] ` <20150909151402.GA3429-2RGepAHry04KGsCuBW9QBvb0xQGhdpdCAL8bYrjMMd8@public.gmane.org>
2015-09-09 15:55 ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 6/6] ebpf: allow BPF_REG_X in src_reg conditional jumps Tycho Andersen
2015-09-04 21:06 ` Alexei Starovoitov
2015-09-04 22:43 ` Tycho Andersen
2015-09-05 4:12 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150910005853.GG26679@smitten \
--to=tycho.andersen@canonical.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gorcunov@parallels.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=serge.hallyn@ubuntu.com \
--cc=wad@chromium.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).