From: Will Drewry <wad@chromium.org>
To: Randy Dunlap <rdunlap@xenotime.net>
Cc: linux-kernel@vger.kernel.org, keescook@chromium.org,
john.johansen@canonical.com, serge.hallyn@canonical.com,
coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com,
djm@mindrot.org, torvalds@linux-foundation.org,
segoon@openwall.com, rostedt@goodmis.org, jmorris@namei.org,
scarybeasts@gmail.com, avi@redhat.com, penberg@cs.helsinki.fi,
viro@zeniv.linux.org.uk, luto@mit.edu, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk
Subject: Re: [PATCH v3 3/3] Documentation: prctl/seccomp_filter
Date: Sun, 15 Jan 2012 19:41:03 -0600 [thread overview]
Message-ID: <CABqD9hYg79C6ctW6dzsV1CQ8e3zDpAWiiRP+C1PgC2M6huubvA@mail.gmail.com> (raw)
In-Reply-To: <4F12316E.6050204@xenotime.net>
On Sat, Jan 14, 2012 at 7:52 PM, Randy Dunlap <rdunlap@xenotime.net> wrote:
> On 01/12/2012 03:38 PM, Will Drewry wrote:
>> Documents how system call filtering using Berkeley Packet
>> Filter programs works and how it may be used.
>> Includes an example for x86 (32-bit).
>>
>> v3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net)
>> - document use of tentative always-unprivileged
>> - guard sample compilation for i386 and x86_64
>> v2: - move code to samples (corbet@lwn.net)
>>
>> Signed-off-by: Will Drewry <wad@chromium.org>
>> ---
>> Documentation/prctl/seccomp_filter.txt | 94 ++++++++++++++++++++++++++++++++
>> samples/Makefile | 2 +-
>> samples/seccomp/Makefile | 18 ++++++
>> samples/seccomp/bpf-example.c | 74 +++++++++++++++++++++++++
>> 4 files changed, 187 insertions(+), 1 deletions(-)
>> create mode 100644 Documentation/prctl/seccomp_filter.txt
>> create mode 100644 samples/seccomp/Makefile
>> create mode 100644 samples/seccomp/bpf-example.c
>>
>> diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt
>> new file mode 100644
>> index 0000000..2db8b89
>> --- /dev/null
>> +++ b/Documentation/prctl/seccomp_filter.txt
>> @@ -0,0 +1,94 @@
>> + Seccomp filtering
>> + =================
>> +
>> +Introduction
>> +------------
>> +
>> +A large number of system calls are exposed to every userland process
>> +with many of them going unused for the entire lifetime of the process.
>> +As system calls change and mature, bugs are found and eradicated. A
>> +certain subset of userland applications benefit by having a reduced set
>> +of available system calls. The resulting set reduces the total kernel
>> +surface exposed to the application. System call filtering is meant for
>> +use with those applications.
>> +
>> +Seccomp filtering provides a means for a process to specify a filter
>> +for incoming system calls. The filter is expressed as a Berkeley Packet
>> +Filter (BPF) program, as with socket filters, except that the data
>> +operated on is the current user_regs_struct. This allows for expressive
>> +filtering of system calls using the pre-existing system call ABI and
>> +using a filter program language with a long history of being exposed to
>> +userland. Additionally, BPF makes it impossible for users of seccomp to
>> +fall prey to time-of-check-time-of-use (TOCTOU) attacks that are common
>> +in system call interposition frameworks because the evaluated data is
>> +solely register state just after system call entry.
>> +
>> +What it isn't
>> +-------------
>> +
>> +System call filtering isn't a sandbox. It provides a clearly defined
>> +mechanism for minimizing the exposed kernel surface. Beyond that,
>> +policy for logical behavior and information flow should be managed with
>> +a combinations of other system hardening techniques and, potentially, a
>
> combination an
>
>> +LSM of your choosing. Expressive, dynamic filters provide further options down
>> +this path (avoiding pathological sizes or selecting which of the multiplexed
>> +system calls in socketcall() is allowed, for instance) which could be
>> +construed, incorrectly, as a more complete sandboxing solution.
>> +
>> +Usage
>> +-----
>> +
>> +An additional seccomp mode is added, but they are not directly set by the
>> +consuming process. The new mode, '2', is only available if
>> +CONFIG_SECCOMP_FILTER is set and enabled using prctl with the
>> +PR_ATTACH_SECCOMP_FILTER argument.
>> +
>> +Interacting with seccomp filters is done using one prctl(2) call.
>> +
>> +PR_ATTACH_SECCOMP_FILTER:
>> + Allows the specification of a new filter using a BPF program.
>> + The BPF program will be executed over a user_regs_struct data
>> + reflecting system call time except with the system call number
>> + resident in orig_[register]. To allow a system call, the size
>> + of the data must be returned. At present, all other return values
>> + result in the system call being blocked, but it is recommended to
>> + return 0 in those cases. This will allow for future custom return
>> + values to be introduced, if ever desired.
>> +
>> + Usage:
>> + prctl(PR_ATTACH_SECCOMP_FILTER, prog);
>> +
>> + The 'prog' argument is a pointer to a struct sock_fprog which will
>> + contain the filter program. If the program is invalid, the call
>> + will return -1 and set errno to -EINVAL.
>
> EINVAL.
> (I think)
>
>> +
>> + The struct user_regs_struct the @prog will see is based on the
>> + personality of the task at the time of this prctl call. Additionally,
>> + is_compat_task is also tracked for the @prog. This means that once set
>> + the calling task will have all of its system calls blocked if it
>> + switches its system call ABI (via personality or other means).
>> +
>> + If fork/clone and execve are allowed by @prog, any child processes will
>> + be constrained to the same filters and syscal call ABI as the parent.
>
> syscall
>
>> +
>> + When called from an unprivileged process (lacking CAP_SYS_ADMIN), the
>> + "always_unprivileged" bit is enabled for the process.
>> +
>> + Additionally, if prctl(2) is allowed by the attached filter,
>> + additional filters may be layered on which will increase evaluation
>> + time, but allow for further decreasing the attack surface during
>> + execution of a process.
>> +
>> +The above call returns 0 on success and non-zero on error.
>> +
>> +Example
>> +-------
>> +
>> +samples/seccomp-bpf-example.c shows an example process that allows read from stdin,
>
> samples/seccomp/bpf-example.c
>
>> +write to stdout/err, exit and signal returns for 32-bit x86.
>
> /stderr,
>
Thanks for the close reading! I've got another patchset mostly rolled
and I'll pull these in too.
will
next prev parent reply other threads:[~2012-01-16 1:41 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-12 23:38 [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Will Drewry
2012-01-12 23:38 ` [PATCH v3 2/3] seccomp_filters: system call filtering using BPF Will Drewry
2012-01-13 0:51 ` Randy Dunlap
2012-01-12 23:59 ` Will Drewry
2012-01-13 1:35 ` Randy Dunlap
2012-01-13 17:39 ` Eric Paris
2012-01-13 18:50 ` Will Drewry
2012-01-12 23:38 ` [PATCH v3 3/3] Documentation: prctl/seccomp_filter Will Drewry
2012-01-15 1:52 ` Randy Dunlap
2012-01-16 1:41 ` Will Drewry [this message]
2012-01-17 23:29 ` Eric Paris
2012-01-17 23:54 ` Will Drewry
2012-01-12 23:47 ` [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch Linus Torvalds
2012-01-13 0:03 ` Will Drewry
2012-01-13 0:42 ` Andrew Lutomirski
2012-01-13 0:57 ` Linus Torvalds
2012-01-13 1:11 ` Andrew Lutomirski
2012-01-13 1:17 ` Linus Torvalds
2012-01-14 13:30 ` Jamie Lokier
2012-01-14 19:21 ` Will Drewry
2012-01-14 20:22 ` Linus Torvalds
2012-01-14 21:04 ` Andrew Lutomirski
2012-01-15 20:16 ` Casey Schaufler
2012-01-15 20:59 ` Andrew Lutomirski
2012-01-15 21:32 ` Casey Schaufler
2012-01-15 22:07 ` Andrew Lutomirski
2012-01-16 2:04 ` Will Drewry
2012-01-18 3:12 ` Eric W. Biederman
2012-01-16 2:41 ` Casey Schaufler
2012-01-16 7:45 ` Andrew Lutomirski
2012-01-16 18:02 ` Casey Schaufler
2012-01-13 1:37 ` Will Drewry
2012-01-13 1:41 ` Andrew Lutomirski
2012-01-13 2:09 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABqD9hYg79C6ctW6dzsV1CQ8e3zDpAWiiRP+C1PgC2M6huubvA@mail.gmail.com \
--to=wad@chromium.org \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amwang@redhat.com \
--cc=avi@redhat.com \
--cc=borislav.petkov@amd.com \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=daniel.lezcano@free.fr \
--cc=dhowells@redhat.com \
--cc=djm@mindrot.org \
--cc=dlaor@redhat.com \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=khilman@ti.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mhalcrow@google.com \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=olofj@chromium.org \
--cc=penberg@cs.helsinki.fi \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=rostedt@goodmis.org \
--cc=scarybeasts@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).