From: chris hyser <chris.hyser-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Cc: Will Drewry <wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>,
Netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Alexei Starovoitov <ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Sargun Dhillon <sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org>,
Alexei Starovoitov
<alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [net-next v3 0/2] eBPF seccomp filters
Date: Tue, 27 Feb 2018 11:59:48 -0500 [thread overview]
Message-ID: <ddbefdda-f3b8-3956-fa0f-dcba8cf8e7d9@oracle.com> (raw)
In-Reply-To: <CAGXu5j+idW9AjZHVdeedqLOFXriObUJLvcw8-9k5WxyQF8EWrg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On 02/27/2018 11:00 AM, Kees Cook wrote:
> On Tue, Feb 27, 2018 at 6:53 AM, chris hyser <chris.hyser-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
>> On 02/26/2018 11:38 PM, Kees Cook wrote:
>>>
>>> On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
>>> wrote:
>>>>
>>>> 3. Straight-up bugs. Those are exactly as problematic as verifier
>>>> bugs in any other unprivileged eBPF program type, right? I don't see
>>>> why seccomp is special here.
>>>
>>>
>>> My concern is more about unintended design mistakes or other feature
>>> creep with side-effects, especially when it comes to privileges and
>>> synchronization. Getting no-new-privs done correctly, for example,
>>> took some careful thought and discussion, and I'm shy from how painful
>>> TSYNC was on the process locking side, and eBPF has had some rather
>>> ugly flaws in the past (and recently: it was nice to be able to say
>>> for Spectre that seccomp filters couldn't be constructed to make
>>> attacks but eBPF could). Adding the complexity needs to be worth the
>>> gain. I'm on board for doing it, I just want to be careful. :)
>>
>>
>>
>> Another option might be to remove c/eBPF from the equation all together.
>> c/eBPF allows flexibility and that almost always comes at the cost of
>> additional security risk. Seccomp is for enhanced security yes? How about a
>> new seccomp mode that passes in something like a bit vector or hashmap for
>> "simple" white/black list checks validated by kernel code, versus user
>> provided interpreted code? Of course this removes a fair number of things
>> you can currently do or would be able to do with eBPF. Of course, restated
>> from a security point of view, this removes a fair number of things an
>> _attacker_ can do. Presumably the performance improvement would also be
>> significant.
>>
>> Is this an idea worth prototyping?
>
> That was the original prototype for seccomp-filter. :) The discussion
> around that from years ago basically boiled down to it being
> inflexible. Given all the things people want to do at syscall time,
> that continues to be true. So true, in fact, that here we are now,
> trying to move to eBPF from cBPF. ;)
I will try to find that discussion. As someone pointed out here though, eBPF is being used by more and more people in
areas where security is not the primary concern. Differing objectives will make this a long term continuing issue. We
ourselves were looking at eBPF simply as a means to use a hashmap for a white/blacklist, i.e. performance not flexibility.
-chrish
next prev parent reply other threads:[~2018-02-27 16:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-26 7:26 [net-next v3 0/2] eBPF seccomp filters Sargun Dhillon
[not found] ` <20180226072651.GA27045-du9IEJ8oIxHXYT48pCVpJ3c7ZZ+wIVaZYkHkVr5ML8kVGlcevz2xqA@public.gmane.org>
2018-02-26 23:04 ` Alexei Starovoitov
2018-02-26 23:20 ` Kees Cook
[not found] ` <CAGXu5jLdOcrn16q9pQ7JwTf88AVsL0o5LMJ=4P6vRN36u-_k_g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 1:01 ` Tycho Andersen
2018-02-27 3:46 ` Sargun Dhillon
[not found] ` <CAMp4zn9BAxv40q56PPsmvXcD000N4ZuAN3g=OF=od18_gT8UEQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 4:01 ` Tycho Andersen
2018-02-27 4:19 ` Andy Lutomirski
[not found] ` <CALCETrXNODxWkcwF-LbXBn+Ju7QJEyi3JR+spsRX4ecg8d1iMQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 4:38 ` Kees Cook
[not found] ` <CAGXu5j+64WzxjBnpQxYCU50ak+VqVw1y0W+MWygFodxsDqEZRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 4:54 ` Andy Lutomirski
[not found] ` <A20EA7DD-94E9-488A-B9FF-D8E2C9F26611-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2018-02-27 23:10 ` Mickaël Salaün
[not found] ` <5323e010-09df-26d9-15f5-c723faa13224-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2018-02-27 23:11 ` Andy Lutomirski
2018-02-27 14:53 ` chris hyser
[not found] ` <db759dd2-31dc-d094-251d-d4c1e8af8704-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2018-02-27 16:00 ` Kees Cook
[not found] ` <CAGXu5j+idW9AjZHVdeedqLOFXriObUJLvcw8-9k5WxyQF8EWrg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 16:59 ` chris hyser [this message]
[not found] ` <ddbefdda-f3b8-3956-fa0f-dcba8cf8e7d9-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2018-02-27 19:19 ` Kees Cook
[not found] ` <CAGXu5jKnk90Yruhx_=t8yW2ziLaubqW80pxB95g5W_XnMuT1mA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 21:22 ` chris hyser
2018-02-27 21:58 ` Daniel Borkmann
[not found] ` <f712a383-8e84-da64-a454-51fdebf28741-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2018-02-27 22:20 ` chris hyser
[not found] ` <7fc0fab8-c1bc-bc76-a892-b3faab7d16ad-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2018-02-27 23:55 ` chris hyser
[not found] ` <4fbef77e-92ad-b896-a259-492412ad4c55-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2018-02-28 19:56 ` Daniel Borkmann
[not found] ` <19cd2e07-5702-1713-6903-e5667250b09d-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2018-03-01 6:46 ` chris hyser
2018-03-01 17:44 ` Andy Lutomirski
[not found] ` <CALCETrWugC-M-b2hhKu+Zq6W4w6vDn+bDCURLw48Loa+_SQaqA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-01 21:51 ` Sargun Dhillon
[not found] ` <CAMp4zn9g06jTAAycw6hNXF+KsfOM2SXvr1aYywnXyXkEiSO0rA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-01 21:59 ` Andy Lutomirski
[not found] ` <CALCETrVQ-V1b58aHxudQNTSn0J8yirsnUghyzjkP-M_Dqptqjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-01 22:46 ` Sargun Dhillon
2018-03-01 21:54 ` Daniel Borkmann
2018-02-27 0:01 ` Sargun Dhillon
[not found] ` <CAMp4zn_Qe0aXhxNzpETBABAhKWF2WkZXnpzrJczbD=6k42OydA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 9:28 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ddbefdda-f3b8-3956-fa0f-dcba8cf8e7d9@oracle.com \
--to=chris.hyser-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org \
--cc=wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).