From: Rob Landley <rob@landley.net>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
x86@kernel.org, arnd@arndb.de, davem@davemloft.net,
hpa@zytor.com, mingo@redhat.com, oleg@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, eparis@redhat.com,
serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
corbet@lwn.net, eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com, keescook@chromium.org,
jmorris@namei.org, Andy Lutomirski <luto@amacapital.net>,
linux-man@vger.kernel.org
Subject: Re: [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Date: Tue, 10 Apr 2012 15:37:00 -0500 [thread overview]
Message-ID: <4F8499EC.4010508@landley.net> (raw)
In-Reply-To: <CAObL_7EYb62o=a0ekzcDx=0TuN55A7aTYhLJbMNu2r8F0V77EA@mail.gmail.com>
On 04/06/2012 03:01 PM, Andrew Lutomirski wrote:
> On Fri, Apr 6, 2012 at 12:55 PM, Andrew Morton
> <akpm@linux-foundation.org> wrote:
>> On Thu, 29 Mar 2012 15:01:46 -0500
>> Will Drewry <wad@chromium.org> wrote:
>>
>>> From: Andy Lutomirski <luto@amacapital.net>
>>>
>>> With this set, a lot of dangerous operations (chroot, unshare, etc)
>>> become a lot less dangerous because there is no possibility of
>>> subverting privileged binaries.
>>
>> The changelog doesn't explain the semantics of the new syscall.
>> There's a comment way-down-there which I guess suffices, if you hunt
>> for it.
>>
>> And the changelog doesn't explain why this is being added. Presumably
>> seccomp_filter wants/needs this feature but whowhatwherewhenwhy? Spell
>> it all out, please.
>>
>> The new syscall mode will be documented in the prctl manpage. Please
>> cc linux-man@vger.kernel.org and work with Michael on getting this
>> done?
>
> This has been bugging me for awhile. Is there any interest in moving
> the manpages into the kernel source tree?
Not that I know of. I'm pretty sure if the guy maintaining it (Michael
Kerrisk) wanted to do that, he could have raised the issue at any time
over the past several years.
> Then there could be a
> general requirement that new APIs get documented when they're written.
Because having a Documentation directory, javadoc in the source itself
(some of which is combined with the Documentation/DocBook xml files to
form the make htmldocs output), menuconfig help text, and a whole buch
of scattered readmes does _not_ get new APIs documented as they're written.
That isn't even counting git commit comments and mailing list messages
in various web archives. Are you going to suck the linux weekly news
kernel articles into the tree (http://lwn.net/Kernel/Index)? How about
Linux Journal's complete archives going back to 2004
(http://www.linuxjournal.com/magazine)? Or the h-online and
kernelnewbies writeups? How about wikipedia pages on interesting kernel
topics? The sourceforge pages for userspace projects like lxc.sf.net or
i2c-utils? How about that device driver writing tutorial Greg KH
recorded in 2008, that's only a 2.8 gigabyte video file. Rusty's
Unreliable Guides? Greg KH's blog? (Heck, http://kernelplanet.org).
Speaking of videos, here's the 2011 LinuxCon Japan talks:
http://video.linux.com/categories/2011-linuxcon-japan
And here are videos for the Consumer Electronic Linux Forum:
http://free-electrons.com/blog/elc-2012-videos/
(and you can get 2011, 2010, 2006...)
Here are Ottawa Linux Symposium papers:
http://kernel.org/doc/ols
Don't forget IBM Developerworks' library:
http://www.ibm.com/developerworks/linux/library/l-linux-kernel/
Have some standards documents:
http://www.opengroup.org/onlinepubs/9699919799/
http://busybox.net/~landley/c99-draft.html
http://www.unix.org/whitepapers/64bit.html
http://refspecs.linuxfoundation.org
http://t10.org/scsi-3.htm
Here's a random blog post about booting a bare metal "hello world"
program on qemu for ARM:
http://balau82.wordpress.com/2010/02/28/hello-world-for-bare-metal-arm-using-qemu/
Let's pick a topic, like the ELF loader. Here's the best introduction of
how ELF files _really_ work I've seen:
http://muppetlabs.com/~breadbox/software/tiny/teensy.html
Although http://linuxjournal.com/article/1059 is pretty good too, as
were http://linuxjournal.com/article/1060 and
http://linuxjournal.com/article/80 as well. And if you want the
_details_, here's an extremely dry online book:
http;//www.iecc.com/linker/
And here's the first entry in the blog series the guy who wrote "gold"
did about writing his new linker:
http://www.airs.com/blog/archives/38
And so on, and so forth...
> (There are plenty of barely- or incompletely-documented syscalls.
> futex and relatives come to mind.)
Your proposal does not address this problem.
speaking of syscalls, I do note that ever since I tried to add Hexagon
support to strace (less fun than it sounds), I've wanted a way to beat
proper syscall information out of the kernel headers so I could get not
just syscall numbers but how many arguments and a brief stab at the type
of each argument.
Of course you _can_ get argument type and count, but not from the
headers: you have to use moderately horrible sed on the kernel's source
code, ala:
find . -name "*.c" -print0 | \
xargs -n1 -0 sed -n -e 's/.*\(SYSCALL_DEFINE[0-9](\)/\1/' \
-e 't got;d;:got;s/).*/)/p;t;N;b got'
> --Andy
Rob
--
GNU/Linux isn't: Linux=GPLv2, GNU=GPLv3+, they can't share code.
Either it's "mere aggregation", or a license violation. Pick one.
next prev parent reply other threads:[~2012-04-10 20:37 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-29 20:01 [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering Will Drewry
2012-03-29 20:01 ` [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Will Drewry
2012-04-06 19:49 ` Andrew Morton
2012-04-06 19:55 ` Andy Lutomirski
2012-04-06 20:47 ` Markus Gutschke
2012-04-06 20:54 ` Andrew Lutomirski
2012-04-06 21:04 ` Markus Gutschke
2012-04-06 21:15 ` Andrew Lutomirski
2012-04-06 21:32 ` Markus Gutschke
2012-04-10 19:12 ` Will Drewry
[not found] ` <1333051320-30872-2-git-send-email-wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
2012-04-06 19:55 ` Andrew Morton
2012-04-06 20:01 ` Andrew Lutomirski
2012-04-06 20:28 ` Jonathan Corbet
2012-04-06 20:37 ` Andrew Lutomirski
2012-04-11 19:31 ` Michael Kerrisk (man-pages)
2012-04-12 0:15 ` Michael Kerrisk (man-pages)
2012-04-12 0:50 ` Andrew Lutomirski
2012-04-16 19:11 ` Rob Landley
2012-04-10 20:37 ` Rob Landley [this message]
2012-04-10 19:03 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 02/15] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Will Drewry
2012-03-29 20:01 ` [PATCH v17 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Will Drewry
2012-03-29 20:01 ` [PATCH v17 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-03-29 20:01 ` [PATCH v17 05/15] seccomp: kill the seccomp_t typedef Will Drewry
2012-03-29 20:01 ` [PATCH v17 06/15] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-03-29 20:01 ` [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch Will Drewry
2012-04-06 20:05 ` Andrew Morton
2012-04-09 19:24 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 08/15] seccomp: add system call filtering using BPF Will Drewry
2012-03-31 4:40 ` Vladimir Murzin
2012-03-31 18:14 ` Will Drewry
2012-04-06 20:23 ` Andrew Morton
2012-04-06 20:44 ` Kees Cook
2012-04-06 21:05 ` Andrew Morton
2012-04-06 21:06 ` H. Peter Anvin
2012-04-06 21:09 ` Andrew Morton
2012-04-08 18:22 ` Indan Zupancic
2012-04-09 19:59 ` Will Drewry
2012-04-10 9:48 ` James Morris
2012-04-10 20:00 ` Andrew Morton
2012-04-10 20:16 ` Will Drewry
2012-04-10 10:34 ` Eric Dumazet
2012-04-10 19:54 ` Andrew Morton
2012-04-10 20:15 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 09/15] seccomp: remove duplicated failure logging Will Drewry
2012-04-06 21:14 ` Andrew Morton
2012-04-09 19:26 ` Will Drewry
2012-04-09 19:32 ` Kees Cook
2012-04-09 19:33 ` Eric Paris
2012-04-09 19:39 ` [kernel-hardening] " Kees Cook
2012-03-29 20:01 ` [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-04-06 21:19 ` Andrew Morton
2012-04-09 19:19 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 11/15] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-03-29 20:01 ` [PATCH v17 12/15] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-03-29 20:01 ` [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-04-06 21:24 ` Andrew Morton
2012-04-09 19:38 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-03-29 20:02 ` [PATCH v17 15/15] Documentation: prctl/seccomp_filter Will Drewry
2012-04-06 21:26 ` Andrew Morton
2012-04-09 19:46 ` Will Drewry
2012-04-09 20:47 ` Markus Gutschke
2012-04-09 20:58 ` Ryan Ware
2012-04-09 22:47 ` Will Drewry
2012-04-10 17:49 ` Ryan Ware
2012-03-29 23:11 ` [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering James Morris
2012-04-06 21:28 ` Andrew Morton
2012-04-09 3:48 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F8499EC.4010508@landley.net \
--to=rob@landley.net \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=indan@nul.nu \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).