From: Topi Miettinen <toiwoton@gmail.com>
To: David Hildenbrand <david@redhat.com>,
David Laight <David.Laight@ACULAB.COM>,
Michal Hocko <mhocko@suse.com>, Kees Cook <keescook@chromium.org>
Cc: "akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: optionally disable brk()
Date: Sun, 1 Nov 2020 13:41:30 +0200 [thread overview]
Message-ID: <ced9ebac-7222-1cd5-e1e4-d05b2f175984@gmail.com> (raw)
In-Reply-To: <b6baf73e-35fd-fe12-bb5f-b9b4e334ae83@redhat.com>
On 5.10.2020 15.18, David Hildenbrand wrote:
> On 05.10.20 13:21, David Laight wrote:
>> From: David Hildenbrand
>>> Sent: 05 October 2020 10:55
>> ...
>>>> If hardening and compatibility are seen as tradeoffs, perhaps there
>>>> could be a top level config choice (CONFIG_HARDENING_TRADEOFF) for this.
>>>> It would have options
>>>> - "compatibility" (default) to gear questions for maximum compatibility,
>>>> deselecting any hardening options which reduce compatibility
>>>> - "hardening" to gear questions for maximum hardening, deselecting any
>>>> compatibility options which reduce hardening
>>>> - "none/manual": ask all questions like before
>>>
>>> I think the general direction is to avoid an exploding set of config
>>> options. So if there isn't a *real* demand, I guess gluing this to a
>>> single option ("CONFIG_SECURITY_HARDENING") might be good enough.
>>
>> Wouldn't that be better achieved by run-time clobbering
>> of the syscall vectors?
>
> You mean via something like a boot parameter? Possibly yes.
>
This may be obvious, but a global seccomp filter which doesn't affect
NNP can be installed in initrd with a simple program with no changes to
kernel:
#include <errno.h>
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv) {
if (argc < 3) {
fprintf(stderr, "Usage: %s syscall [syscall]...
program\n", argv[0]);
return EXIT_FAILURE;
}
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
fprintf(stderr, "failed to init filter\n");
return EXIT_FAILURE;
}
int r;
r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0);
if (r != 0) {
fprintf(stderr, "failed to disable NNP\n");
return EXIT_FAILURE;
}
fprintf(stderr, "filtering");
for (int i = 1; i < argc - 1; i++) {
const char *syscall = argv[i];
int syscall_nr = seccomp_syscall_resolve_name(syscall);
if (syscall_nr == __NR_SCMP_ERROR) {
//fprintf(stderr, "unknown syscall %s,
ignoring\n", syscall);
continue;
}
r = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(ENOSYS),
syscall_nr, 0);
if (r != 0) {
//fprintf(stderr, "failed to filter syscall %s,
ignoring\n", syscall);
continue;
}
fprintf(stderr, " %s", syscall);
}
fprintf(stderr, "\n");
r = seccomp_load(ctx);
if (r != 0) {
fprintf(stderr, "failed to apply filter\n");
return EXIT_FAILURE;
}
seccomp_release(ctx);
char *program = argv[argc - 1];
char *new_argv[] = { program, NULL };
execv(program, new_argv);
fprintf(stderr, "failed to exec %s\n", program);
return EXIT_FAILURE;
}
This can be inserted in initrd to disable some obsolete and old system
calls like this:
#!/bin/sh
exec /usr/local/sbin/seccomp-exec _sysctl afs_syscall bdflush break
create_module ftime get_kernel_syms getpmsg gtty idle lock mpx prof
profil putpmsg query_module security sgetmask ssetmask stty sysfs
tuxcall ulimit uselib ustat vserver epoll_ctl_old epoll_wait_old
old_adjtimex old_getpagesize oldfstat oldlstat oldolduname oldstat
oldumount olduname osf_old_creat osf_old_fstat osf_old_getpgrp
osf_old_killpg osf_old_lstat osf_old_open osf_old_sigaction
osf_old_sigblock osf_old_sigreturn osf_old_sigsetmask osf_old_sigvec
osf_old_stat osf_old_vadvise osf_old_vtrace osf_old_wait osf_oldquota
vm86old brk /init
-Topi
prev parent reply other threads:[~2020-11-01 11:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-02 17:19 [PATCH] mm: optionally disable brk() Topi Miettinen
2020-10-02 17:52 ` David Hildenbrand
2020-10-02 21:19 ` David Laight
2020-10-02 21:44 ` Topi Miettinen
2020-10-05 6:12 ` Michal Hocko
2020-10-05 8:11 ` Topi Miettinen
2020-10-05 8:22 ` Michal Hocko
2020-10-05 9:03 ` Topi Miettinen
2020-10-05 14:12 ` Jonathan Corbet
2020-10-05 16:14 ` Topi Miettinen
2020-10-05 9:13 ` David Hildenbrand
2020-10-05 9:20 ` Michal Hocko
2020-10-05 9:47 ` Topi Miettinen
2020-10-05 9:55 ` David Hildenbrand
2020-10-05 11:21 ` David Laight
2020-10-05 12:18 ` David Hildenbrand
2020-10-05 12:25 ` David Laight
2020-10-07 9:43 ` Topi Miettinen
2020-11-01 11:41 ` Topi Miettinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ced9ebac-7222-1cd5-e1e4-d05b2f175984@gmail.com \
--to=toiwoton@gmail.com \
--cc=David.Laight@ACULAB.COM \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).