From: Kees Cook <keescook@chromium.org>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Valentin Rothberg <vrothber@redhat.com>,
Jann Horn <jannh@google.com>, YiFei Zhu <yifeifz2@illinois.edu>,
containers@lists.linux-foundation.org,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Hubertus Franke <frankeh@us.ibm.com>,
Jack Chen <jianyan2@illinois.edu>,
Dimitrios Skarlatos <dskarlat@cs.cmu.edu>,
Josep Torrellas <torrella@illinois.edu>,
Will Drewry <wad@chromium.org>, bpf <bpf@vger.kernel.org>,
Tianyin Xu <tyxu@illinois.edu>
Subject: Re: [PATCH v2 seccomp 1/6] seccomp: Move config option SECCOMP to arch/Kconfig
Date: Tue, 27 Oct 2020 17:06:49 -0700 [thread overview]
Message-ID: <202010271653.B6D7D6B@keescook> (raw)
In-Reply-To: <CAMuHMdXTLKr6pvoE+JAdn_P5kVxL6gx8PJ8mqfXcS+SF+pRbkQ@mail.gmail.com>
On Tue, Oct 27, 2020 at 10:52:39AM +0100, Geert Uytterhoeven wrote:
> Hi Yifei,
>
> On Thu, Sep 24, 2020 at 2:48 PM YiFei Zhu <zhuyifei1999@gmail.com> wrote:
> > From: YiFei Zhu <yifeifz2@illinois.edu>
> >
> > In order to make adding configurable features into seccomp
> > easier, it's better to have the options at one single location,
> > considering easpecially that the bulk of seccomp code is
> > arch-independent. An quick look also show that many SECCOMP
> > descriptions are outdated; they talk about /proc rather than
> > prctl.
> >
> > As a result of moving the config option and keeping it default
> > on, architectures arm, arm64, csky, riscv, sh, and xtensa
> > did not have SECCOMP on by default prior to this and SECCOMP will
> > be default in this change.
> >
> > Architectures microblaze, mips, powerpc, s390, sh, and sparc
> > have an outdated depend on PROC_FS and this dependency is removed
> > in this change.
> >
> > Suggested-by: Jann Horn <jannh@google.com>
> > Link: https://lore.kernel.org/lkml/CAG48ez1YWz9cnp08UZgeieYRhHdqh-ch7aNwc4JRBnGyrmgfMg@mail.gmail.com/
> > Signed-off-by: YiFei Zhu <yifeifz2@illinois.edu>
>
> Thanks for your patch. which is now commit 282a181b1a0d66de ("seccomp:
> Move config option SECCOMP to arch/Kconfig") in v5.10-rc1.
>
> > --- a/arch/Kconfig
> > +++ b/arch/Kconfig
> > @@ -458,6 +462,23 @@ config HAVE_ARCH_SECCOMP_FILTER
> > results in the system call being skipped immediately.
> > - seccomp syscall wired up
> >
> > +config SECCOMP
> > + def_bool y
> > + depends on HAVE_ARCH_SECCOMP
> > + prompt "Enable seccomp to safely compute untrusted bytecode"
> > + help
> > + This kernel feature is useful for number crunching applications
> > + that may need to compute untrusted bytecode during their
> > + execution. By using pipes or other transports made available to
> > + the process as file descriptors supporting the read/write
> > + syscalls, it's possible to isolate those applications in
> > + their own address space using seccomp. Once seccomp is
> > + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> > + and the task is only allowed to execute a few safe syscalls
> > + defined by each seccomp mode.
> > +
> > + If unsure, say Y. Only embedded should say N here.
> > +
>
> Please tell me why SECCOMP is special, and deserves to default to be
> enabled. Is it really that critical, given only 13.5 (half of sparc
> ;-) out of 24
> architectures implement support for it?
That's an excellent point; I missed this in my review as I saw several
Kconfig already marked "def_bool y" but failed to note it wasn't _all_
of them. Okay, checking before this patch, these had them effectively
enabled:
via Kconfig:
parisc
s390
um
x86
via defconfig, roughly speaking:
arm
arm64
sh
How about making the default depend on HAVE_ARCH_SECCOMP_FILTER?
These have SECCOMP_FILTER support:
arch/arm/Kconfig: select HAVE_ARCH_SECCOMP_FILTER if AEABI && !OABI_COMPAT
arch/arm64/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/csky/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/mips/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/parisc/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/powerpc/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/riscv/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/s390/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/sh/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/um/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/x86/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
arch/xtensa/Kconfig: select HAVE_ARCH_SECCOMP_FILTER
So the "new" promotions would be:
csky
mips
powerpc
riscv
xtensa
Which would leave only these two:
arch/microblaze/Kconfig: select HAVE_ARCH_SECCOMP
arch/sparc/Kconfig: select HAVE_ARCH_SECCOMP if SPARC64
At this point, given the ubiquity of seccomp usage (e.g. systemd), I
guess it's not unreasonable to make it def_bool y?
I'm open to suggestions!
--
Kees Cook
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2020-10-28 0:06 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 5:35 [RFC PATCH seccomp 0/2] seccomp: Add bitmap cache of arg-independent filter results that allow syscalls YiFei Zhu
2020-09-21 5:35 ` [RFC PATCH seccomp 1/2] seccomp/cache: Add "emulator" to check if filter is arg-dependent YiFei Zhu
2020-09-21 17:47 ` Jann Horn via Containers
2020-09-21 18:38 ` Jann Horn via Containers
2020-09-21 23:44 ` YiFei Zhu
2020-09-22 0:25 ` Jann Horn via Containers
2020-09-22 0:47 ` YiFei Zhu
2020-09-21 5:35 ` [RFC PATCH seccomp 2/2] seccomp/cache: Cache filter results that allow syscalls YiFei Zhu
2020-09-21 18:08 ` Jann Horn via Containers
2020-09-21 22:50 ` YiFei Zhu
2020-09-21 22:57 ` Jann Horn via Containers
2020-09-21 23:08 ` YiFei Zhu
2020-09-25 0:01 ` [PATCH v2 seccomp 2/6] asm/syscall.h: Add syscall_arches[] array Kees Cook
2020-09-25 0:15 ` Jann Horn via Containers
2020-09-25 0:18 ` Al Viro
2020-09-25 0:24 ` Jann Horn via Containers
2020-09-25 1:27 ` YiFei Zhu
2020-09-25 3:09 ` Kees Cook
2020-09-25 3:28 ` YiFei Zhu
2020-09-25 16:39 ` YiFei Zhu
2020-09-21 5:48 ` [RFC PATCH seccomp 0/2] seccomp: Add bitmap cache of arg-independent filter results that allow syscalls Sargun Dhillon
2020-09-21 7:13 ` YiFei Zhu
2020-09-21 8:30 ` Christian Brauner
2020-09-21 8:44 ` YiFei Zhu
2020-09-21 13:51 ` Tycho Andersen
2020-09-21 15:27 ` YiFei Zhu
2020-09-21 16:39 ` Tycho Andersen
2020-09-21 22:57 ` YiFei Zhu
2020-09-21 19:16 ` Jann Horn via Containers
2020-09-21 19:35 ` Hubertus Franke
2020-09-21 19:45 ` Jann Horn via Containers
2020-09-23 19:26 ` Kees Cook
2020-09-23 22:54 ` YiFei Zhu
2020-09-24 6:52 ` Kees Cook
2020-09-24 12:06 ` [PATCH seccomp 0/6] " YiFei Zhu
2020-09-24 12:06 ` [PATCH seccomp 1/6] seccomp: Move config option SECCOMP to arch/Kconfig YiFei Zhu
2020-09-24 12:06 ` YiFei Zhu
2020-09-24 12:06 ` [PATCH seccomp 2/6] asm/syscall.h: Add syscall_arches[] array YiFei Zhu
2020-09-24 12:06 ` [PATCH seccomp 3/6] seccomp/cache: Add "emulator" to check if filter is arg-dependent YiFei Zhu
2020-09-24 12:06 ` [PATCH seccomp 4/6] seccomp/cache: Lookup syscall allowlist for fast path YiFei Zhu
2020-09-24 12:06 ` [PATCH seccomp 5/6] selftests/seccomp: Compare bitmap vs filter overhead YiFei Zhu
2020-09-24 12:06 ` [PATCH seccomp 6/6] seccomp/cache: Report cache data through /proc/pid/seccomp_cache YiFei Zhu
2020-09-24 12:44 ` [PATCH v2 seccomp 0/6] seccomp: Add bitmap cache of arg-independent filter results that allow syscalls YiFei Zhu
2020-09-24 12:44 ` [PATCH v2 seccomp 1/6] seccomp: Move config option SECCOMP to arch/Kconfig YiFei Zhu
2020-09-24 19:11 ` Kees Cook
2020-10-27 9:52 ` Geert Uytterhoeven
2020-10-27 19:08 ` YiFei Zhu
2020-10-28 0:06 ` Kees Cook [this message]
2020-10-28 8:18 ` Geert Uytterhoeven
2020-10-28 9:34 ` Jann Horn via Containers
2020-09-24 12:44 ` [PATCH v2 seccomp 2/6] asm/syscall.h: Add syscall_arches[] array YiFei Zhu
2020-09-24 13:47 ` David Laight
2020-09-24 14:16 ` YiFei Zhu
2020-09-24 14:20 ` David Laight
2020-09-24 14:37 ` YiFei Zhu
2020-09-24 16:02 ` YiFei Zhu
2020-09-24 12:44 ` [PATCH v2 seccomp 3/6] seccomp/cache: Add "emulator" to check if filter is arg-dependent YiFei Zhu
2020-09-24 23:25 ` Kees Cook
2020-09-25 3:04 ` YiFei Zhu
2020-09-25 16:45 ` YiFei Zhu
2020-09-25 19:42 ` Kees Cook
2020-09-25 19:51 ` Andy Lutomirski
2020-09-25 20:37 ` Kees Cook
2020-09-25 21:07 ` Andy Lutomirski
2020-09-25 23:49 ` Kees Cook
2020-09-26 0:34 ` Andy Lutomirski
2020-09-26 1:23 ` YiFei Zhu
2020-09-26 2:47 ` Andy Lutomirski
2020-09-26 4:35 ` Kees Cook
2020-09-24 12:44 ` [PATCH v2 seccomp 4/6] seccomp/cache: Lookup syscall allowlist for fast path YiFei Zhu
2020-09-24 23:46 ` Kees Cook
2020-09-25 1:55 ` YiFei Zhu
2020-09-24 12:44 ` [PATCH v2 seccomp 5/6] selftests/seccomp: Compare bitmap vs filter overhead YiFei Zhu
2020-09-24 23:47 ` Kees Cook
2020-09-25 1:35 ` YiFei Zhu
2020-09-24 12:44 ` [PATCH v2 seccomp 6/6] seccomp/cache: Report cache data through /proc/pid/seccomp_cache YiFei Zhu
2020-09-24 23:56 ` Kees Cook
2020-09-25 3:11 ` YiFei Zhu
2020-09-25 3:26 ` Kees Cook
2020-09-30 15:19 ` [PATCH v3 seccomp 0/5] seccomp: Add bitmap cache of constant allow filter results YiFei Zhu
2020-09-30 15:19 ` [PATCH v3 seccomp 1/5] x86: Enable seccomp architecture tracking YiFei Zhu
2020-09-30 21:21 ` Kees Cook
2020-09-30 21:33 ` Jann Horn via Containers
2020-09-30 22:53 ` Kees Cook
2020-09-30 23:15 ` Jann Horn via Containers
2020-09-30 15:19 ` [PATCH v3 seccomp 2/5] seccomp/cache: Add "emulator" to check if filter is constant allow YiFei Zhu
2020-09-30 22:24 ` Jann Horn via Containers
2020-09-30 22:49 ` Kees Cook
2020-10-01 11:28 ` YiFei Zhu
2020-10-01 21:08 ` Jann Horn via Containers
2020-09-30 22:40 ` Kees Cook
2020-10-01 11:52 ` YiFei Zhu
2020-10-01 21:05 ` Kees Cook
2020-10-02 11:08 ` YiFei Zhu
2020-10-09 4:47 ` YiFei Zhu
2020-10-09 5:41 ` Kees Cook
2020-09-30 15:19 ` [PATCH v3 seccomp 3/5] seccomp/cache: Lookup syscall allowlist for fast path YiFei Zhu
2020-09-30 21:32 ` Kees Cook
2020-10-09 0:17 ` YiFei Zhu
2020-10-09 5:35 ` Kees Cook
2020-09-30 15:19 ` [PATCH v3 seccomp 4/5] selftests/seccomp: Compare bitmap vs filter overhead YiFei Zhu
2020-09-30 15:19 ` [PATCH v3 seccomp 5/5] seccomp/cache: Report cache data through /proc/pid/seccomp_cache YiFei Zhu
2020-09-30 22:00 ` Jann Horn via Containers
2020-09-30 23:12 ` Kees Cook
2020-10-01 12:06 ` YiFei Zhu
2020-10-01 16:05 ` Jann Horn via Containers
2020-10-01 16:18 ` YiFei Zhu
2020-09-30 22:59 ` Kees Cook
2020-09-30 23:08 ` Jann Horn via Containers
2020-09-30 23:21 ` Kees Cook
2020-10-09 17:14 ` [PATCH v4 seccomp 0/5] seccomp: Add bitmap cache of constant allow filter results YiFei Zhu
2020-10-09 17:14 ` [PATCH v4 seccomp 1/5] seccomp/cache: Lookup syscall allowlist bitmap for fast path YiFei Zhu
2020-10-09 21:30 ` Jann Horn via Containers
2020-10-09 23:18 ` Kees Cook
2020-10-09 17:14 ` [PATCH v4 seccomp 2/5] seccomp/cache: Add "emulator" to check if filter is constant allow YiFei Zhu
2020-10-09 21:30 ` Jann Horn via Containers
2020-10-09 22:47 ` Kees Cook
2020-10-09 17:14 ` [PATCH v4 seccomp 3/5] x86: Enable seccomp architecture tracking YiFei Zhu
2020-10-09 17:25 ` Andy Lutomirski
2020-10-09 18:32 ` YiFei Zhu
2020-10-09 20:59 ` Andy Lutomirski
2020-10-09 17:14 ` [PATCH v4 seccomp 4/5] selftests/seccomp: Compare bitmap vs filter overhead YiFei Zhu
2020-10-09 17:14 ` [PATCH v4 seccomp 5/5] seccomp/cache: Report cache data through /proc/pid/seccomp_cache YiFei Zhu
2020-10-09 21:24 ` kernel test robot
2020-10-09 21:45 ` Jann Horn via Containers
2020-10-09 23:14 ` Kees Cook
2020-10-10 13:26 ` YiFei Zhu
2020-10-12 22:57 ` Kees Cook
2020-10-13 0:31 ` YiFei Zhu
2020-10-22 20:52 ` YiFei Zhu
2020-10-22 22:32 ` Kees Cook
2020-10-22 23:40 ` YiFei Zhu
2020-10-24 2:51 ` Kees Cook
2020-10-30 12:18 ` YiFei Zhu
2020-11-03 13:00 ` YiFei Zhu
2020-11-04 0:29 ` Kees Cook
2020-11-04 11:40 ` YiFei Zhu
2020-11-04 18:57 ` Kees Cook
2020-10-11 15:47 ` [PATCH v5 seccomp 0/5]seccomp: Add bitmap cache of constant allow filter results YiFei Zhu
2020-10-11 15:47 ` [PATCH v5 seccomp 1/5] seccomp/cache: Lookup syscall allowlist bitmap for fast path YiFei Zhu
2020-10-12 6:42 ` Jann Horn via Containers
2020-10-11 15:47 ` [PATCH v5 seccomp 2/5] seccomp/cache: Add "emulator" to check if filter is constant allow YiFei Zhu
2020-10-12 6:46 ` Jann Horn via Containers
2020-10-11 15:47 ` [PATCH v5 seccomp 3/5] x86: Enable seccomp architecture tracking YiFei Zhu
2020-10-11 15:47 ` [PATCH v5 seccomp 4/5] selftests/seccomp: Compare bitmap vs filter overhead YiFei Zhu
2020-10-11 15:47 ` [PATCH v5 seccomp 5/5] seccomp/cache: Report cache data through /proc/pid/seccomp_cache YiFei Zhu
2020-10-12 6:49 ` Jann Horn via Containers
2020-12-17 12:14 ` Geert Uytterhoeven
2020-12-17 18:34 ` YiFei Zhu
2020-12-18 12:35 ` Geert Uytterhoeven
2020-10-27 19:14 ` [PATCH v5 seccomp 0/5]seccomp: Add bitmap cache of constant allow filter results Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202010271653.B6D7D6B@keescook \
--to=keescook@chromium.org \
--cc=aarcange@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dskarlat@cs.cmu.edu \
--cc=frankeh@us.ibm.com \
--cc=geert@linux-m68k.org \
--cc=gscrivan@redhat.com \
--cc=jannh@google.com \
--cc=jianyan2@illinois.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=tobin@ibm.com \
--cc=torrella@illinois.edu \
--cc=tyxu@illinois.edu \
--cc=vrothber@redhat.com \
--cc=wad@chromium.org \
--cc=yifeifz2@illinois.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).