From: Kees Cook <keescook@chromium.org>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
intel-gfx@lists.freedesktop.org,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dave Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
Lucas Stach <l.stach@pengutronix.de>,
jannh@google.com
Subject: Re: [PATCH] kernel: Expose SYS_kcmp by default
Date: Fri, 5 Feb 2021 10:37:09 -0800 [thread overview]
Message-ID: <202102051030.1AF01772D@keescook> (raw)
In-Reply-To: <20210205163752.11932-1-chris@chris-wilson.co.uk>
On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote:
> Userspace has discovered the functionality offered by SYS_kcmp and has
> started to depend upon it. In particular, Mesa uses SYS_kcmp for
> os_same_file_description() in order to identify when two fd (e.g. device
> or dmabuf) point to the same struct file. Since they depend on it for
> core functionality, lift SYS_kcmp out of the non-default
> CONFIG_CHECKPOINT_RESTORE into the selectable syscall category.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Will Drewry <wad@chromium.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Dave Airlie <airlied@gmail.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Lucas Stach <l.stach@pengutronix.de>
> ---
> init/Kconfig | 11 +++++++++++
> kernel/Makefile | 2 +-
> tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
> 3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/init/Kconfig b/init/Kconfig
> index b77c60f8b963..f62fca13ac5b 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1194,6 +1194,7 @@ endif # NAMESPACES
> config CHECKPOINT_RESTORE
> bool "Checkpoint/restore support"
> select PROC_CHILDREN
> + select KCMP
> default n
> help
> Enables additional kernel features in a sake of checkpoint/restore.
> @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
> config ARCH_HAS_MEMBARRIER_SYNC_CORE
> bool
>
> +config KCMP
> + bool "Enable kcmp() system call" if EXPERT
> + default y
I would expect this to be not default-y, especially if
CHECKPOINT_RESTORE does a "select" on it.
This is a really powerful syscall, but it is bounded by ptrace access
controls, and uses pointer address obfuscation, so it may be okay to
expose this. As it is, at least Ubuntu already has
CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much
difference on exposure.
So, if you drop the "default y", I'm fine with this.
-Kees
> + help
> + Enable the file descriptor comparison system call. It provides
> + user-space with the ability to compare two fd to see if they
> + point to the same file, and check other attributes.
> +
> + If unsure, say Y.
> +
> config RSEQ
> bool "Enable rseq() system call" if EXPERT
> default y
> diff --git a/kernel/Makefile b/kernel/Makefile
> index aa7368c7eabf..320f1f3941b7 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -51,7 +51,7 @@ obj-y += livepatch/
> obj-y += dma/
> obj-y += entry/
>
> -obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o
> +obj-$(CONFIG_KCMP) += kcmp.o
> obj-$(CONFIG_FREEZER) += freezer.o
> obj-$(CONFIG_PROFILING) += profile.o
> obj-$(CONFIG_STACKTRACE) += stacktrace.o
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 26c72f2b61b1..1b6c7d33c4ff 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -315,7 +315,7 @@ TEST(kcmp)
> ret = __filecmp(getpid(), getpid(), 1, 1);
> EXPECT_EQ(ret, 0);
> if (ret != 0 && errno == ENOSYS)
> - SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)");
> + SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)");
> }
>
> TEST(mode_strict_support)
> --
> 2.20.1
>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Will Drewry <wad@chromium.org>,
jannh@google.com, intel-gfx@lists.freedesktop.org,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
Andy Lutomirski <luto@amacapital.net>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] kernel: Expose SYS_kcmp by default
Date: Fri, 5 Feb 2021 10:37:09 -0800 [thread overview]
Message-ID: <202102051030.1AF01772D@keescook> (raw)
In-Reply-To: <20210205163752.11932-1-chris@chris-wilson.co.uk>
On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote:
> Userspace has discovered the functionality offered by SYS_kcmp and has
> started to depend upon it. In particular, Mesa uses SYS_kcmp for
> os_same_file_description() in order to identify when two fd (e.g. device
> or dmabuf) point to the same struct file. Since they depend on it for
> core functionality, lift SYS_kcmp out of the non-default
> CONFIG_CHECKPOINT_RESTORE into the selectable syscall category.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Will Drewry <wad@chromium.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Dave Airlie <airlied@gmail.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Lucas Stach <l.stach@pengutronix.de>
> ---
> init/Kconfig | 11 +++++++++++
> kernel/Makefile | 2 +-
> tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
> 3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/init/Kconfig b/init/Kconfig
> index b77c60f8b963..f62fca13ac5b 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1194,6 +1194,7 @@ endif # NAMESPACES
> config CHECKPOINT_RESTORE
> bool "Checkpoint/restore support"
> select PROC_CHILDREN
> + select KCMP
> default n
> help
> Enables additional kernel features in a sake of checkpoint/restore.
> @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
> config ARCH_HAS_MEMBARRIER_SYNC_CORE
> bool
>
> +config KCMP
> + bool "Enable kcmp() system call" if EXPERT
> + default y
I would expect this to be not default-y, especially if
CHECKPOINT_RESTORE does a "select" on it.
This is a really powerful syscall, but it is bounded by ptrace access
controls, and uses pointer address obfuscation, so it may be okay to
expose this. As it is, at least Ubuntu already has
CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much
difference on exposure.
So, if you drop the "default y", I'm fine with this.
-Kees
> + help
> + Enable the file descriptor comparison system call. It provides
> + user-space with the ability to compare two fd to see if they
> + point to the same file, and check other attributes.
> +
> + If unsure, say Y.
> +
> config RSEQ
> bool "Enable rseq() system call" if EXPERT
> default y
> diff --git a/kernel/Makefile b/kernel/Makefile
> index aa7368c7eabf..320f1f3941b7 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -51,7 +51,7 @@ obj-y += livepatch/
> obj-y += dma/
> obj-y += entry/
>
> -obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o
> +obj-$(CONFIG_KCMP) += kcmp.o
> obj-$(CONFIG_FREEZER) += freezer.o
> obj-$(CONFIG_PROFILING) += profile.o
> obj-$(CONFIG_STACKTRACE) += stacktrace.o
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 26c72f2b61b1..1b6c7d33c4ff 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -315,7 +315,7 @@ TEST(kcmp)
> ret = __filecmp(getpid(), getpid(), 1, 1);
> EXPECT_EQ(ret, 0);
> if (ret != 0 && errno == ENOSYS)
> - SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)");
> + SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)");
> }
>
> TEST(mode_strict_support)
> --
> 2.20.1
>
--
Kees Cook
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Will Drewry <wad@chromium.org>,
jannh@google.com, intel-gfx@lists.freedesktop.org,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
Andy Lutomirski <luto@amacapital.net>,
Andrew Morton <akpm@linux-foundation.org>,
Lucas Stach <l.stach@pengutronix.de>
Subject: Re: [Intel-gfx] [PATCH] kernel: Expose SYS_kcmp by default
Date: Fri, 5 Feb 2021 10:37:09 -0800 [thread overview]
Message-ID: <202102051030.1AF01772D@keescook> (raw)
In-Reply-To: <20210205163752.11932-1-chris@chris-wilson.co.uk>
On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote:
> Userspace has discovered the functionality offered by SYS_kcmp and has
> started to depend upon it. In particular, Mesa uses SYS_kcmp for
> os_same_file_description() in order to identify when two fd (e.g. device
> or dmabuf) point to the same struct file. Since they depend on it for
> core functionality, lift SYS_kcmp out of the non-default
> CONFIG_CHECKPOINT_RESTORE into the selectable syscall category.
>
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Will Drewry <wad@chromium.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Dave Airlie <airlied@gmail.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: Lucas Stach <l.stach@pengutronix.de>
> ---
> init/Kconfig | 11 +++++++++++
> kernel/Makefile | 2 +-
> tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
> 3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/init/Kconfig b/init/Kconfig
> index b77c60f8b963..f62fca13ac5b 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1194,6 +1194,7 @@ endif # NAMESPACES
> config CHECKPOINT_RESTORE
> bool "Checkpoint/restore support"
> select PROC_CHILDREN
> + select KCMP
> default n
> help
> Enables additional kernel features in a sake of checkpoint/restore.
> @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
> config ARCH_HAS_MEMBARRIER_SYNC_CORE
> bool
>
> +config KCMP
> + bool "Enable kcmp() system call" if EXPERT
> + default y
I would expect this to be not default-y, especially if
CHECKPOINT_RESTORE does a "select" on it.
This is a really powerful syscall, but it is bounded by ptrace access
controls, and uses pointer address obfuscation, so it may be okay to
expose this. As it is, at least Ubuntu already has
CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much
difference on exposure.
So, if you drop the "default y", I'm fine with this.
-Kees
> + help
> + Enable the file descriptor comparison system call. It provides
> + user-space with the ability to compare two fd to see if they
> + point to the same file, and check other attributes.
> +
> + If unsure, say Y.
> +
> config RSEQ
> bool "Enable rseq() system call" if EXPERT
> default y
> diff --git a/kernel/Makefile b/kernel/Makefile
> index aa7368c7eabf..320f1f3941b7 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -51,7 +51,7 @@ obj-y += livepatch/
> obj-y += dma/
> obj-y += entry/
>
> -obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o
> +obj-$(CONFIG_KCMP) += kcmp.o
> obj-$(CONFIG_FREEZER) += freezer.o
> obj-$(CONFIG_PROFILING) += profile.o
> obj-$(CONFIG_STACKTRACE) += stacktrace.o
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 26c72f2b61b1..1b6c7d33c4ff 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -315,7 +315,7 @@ TEST(kcmp)
> ret = __filecmp(getpid(), getpid(), 1, 1);
> EXPECT_EQ(ret, 0);
> if (ret != 0 && errno == ENOSYS)
> - SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)");
> + SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)");
> }
>
> TEST(mode_strict_support)
> --
> 2.20.1
>
--
Kees Cook
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2021-02-05 18:39 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-05 16:37 [PATCH] kernel: Expose SYS_kcmp by default Chris Wilson
2021-02-05 16:37 ` [Intel-gfx] " Chris Wilson
2021-02-05 16:37 ` Chris Wilson
2021-02-05 17:02 ` Lucas Stach
2021-02-05 17:02 ` [Intel-gfx] " Lucas Stach
2021-02-05 17:02 ` Lucas Stach
2021-02-05 18:37 ` Kees Cook [this message]
2021-02-05 18:37 ` [Intel-gfx] " Kees Cook
2021-02-05 18:37 ` Kees Cook
2021-02-05 20:53 ` Daniel Vetter
2021-02-05 20:53 ` [Intel-gfx] " Daniel Vetter
2021-02-05 20:53 ` Daniel Vetter
2021-02-08 11:49 ` Michel Dänzer
2021-02-08 11:49 ` [Intel-gfx] " Michel Dänzer
2021-02-08 11:49 ` Michel Dänzer
2021-02-08 13:11 ` Michel Dänzer
2021-02-08 13:11 ` [Intel-gfx] " Michel Dänzer
2021-02-08 13:11 ` Michel Dänzer
2021-02-08 13:34 ` Daniel Vetter
2021-02-08 13:34 ` [Intel-gfx] " Daniel Vetter
2021-02-08 13:34 ` Daniel Vetter
2021-02-08 13:49 ` Michel Dänzer
2021-02-08 13:49 ` [Intel-gfx] " Michel Dänzer
2021-02-08 13:49 ` Michel Dänzer
2021-02-05 19:25 ` kernel test robot
2021-02-05 19:25 ` kernel test robot
2021-02-05 19:25 ` [Intel-gfx] " kernel test robot
2021-02-05 19:25 ` kernel test robot
2021-02-05 19:46 ` kernel test robot
2021-02-05 19:46 ` kernel test robot
2021-02-05 19:46 ` [Intel-gfx] " kernel test robot
2021-02-05 19:46 ` kernel test robot
2021-02-05 21:06 ` [PATCH v2] " Chris Wilson
2021-02-05 21:06 ` [Intel-gfx] " Chris Wilson
2021-02-05 21:06 ` Chris Wilson
2021-02-05 21:16 ` Chris Wilson
2021-02-05 21:16 ` [Intel-gfx] " Chris Wilson
2021-02-05 21:16 ` Chris Wilson
2021-02-05 21:20 ` Kees Cook
2021-02-05 21:20 ` [Intel-gfx] " Kees Cook
2021-02-05 21:20 ` Kees Cook
2021-02-05 21:28 ` Chris Wilson
2021-02-05 21:28 ` [Intel-gfx] " Chris Wilson
2021-02-05 21:28 ` Chris Wilson
2021-02-05 21:48 ` Daniel Vetter
2021-02-05 21:48 ` [Intel-gfx] " Daniel Vetter
2021-02-05 21:48 ` Daniel Vetter
2021-02-05 21:47 ` Rasmus Villemoes
2021-02-05 21:47 ` [Intel-gfx] " Rasmus Villemoes
2021-02-05 21:47 ` Rasmus Villemoes
2021-02-05 22:00 ` [PATCH v3] kcmp: Support selection of SYS_kcmp without CHECKPOINT_RESTORE Chris Wilson
2021-02-05 22:00 ` [Intel-gfx] " Chris Wilson
2021-02-05 22:00 ` Chris Wilson
2021-02-06 12:47 ` Cyrill Gorcunov
2021-02-06 12:47 ` [Intel-gfx] " Cyrill Gorcunov
2021-02-06 12:47 ` Cyrill Gorcunov
2021-02-08 22:12 ` Kees Cook
2021-02-08 22:12 ` [Intel-gfx] " Kees Cook
2021-02-08 22:12 ` Kees Cook
2021-02-16 9:02 ` Daniel Vetter
2021-02-16 9:02 ` [Intel-gfx] " Daniel Vetter
2021-02-16 9:02 ` Daniel Vetter
2021-02-12 12:57 ` Emil Velikov
2021-02-12 12:57 ` [Intel-gfx] " Emil Velikov
2021-02-12 12:57 ` Emil Velikov
2021-02-12 13:14 ` Simon Ser
2021-02-12 13:14 ` [Intel-gfx] " Simon Ser
2021-02-12 13:14 ` Simon Ser
2021-02-12 14:07 ` Emil Velikov
2021-02-12 14:07 ` [Intel-gfx] " Emil Velikov
2021-02-12 14:07 ` Emil Velikov
2021-02-12 14:01 ` Michel Dänzer
2021-02-12 14:01 ` [Intel-gfx] " Michel Dänzer
2021-02-12 14:01 ` Michel Dänzer
2021-02-12 14:09 ` Emil Velikov
2021-02-12 14:09 ` [Intel-gfx] " Emil Velikov
2021-02-12 14:09 ` Emil Velikov
2021-02-15 8:56 ` Thomas Zimmermann
2021-02-15 8:56 ` [Intel-gfx] " Thomas Zimmermann
2021-02-15 8:56 ` Thomas Zimmermann
2021-02-06 2:01 ` [Intel-gfx] ✓ Fi.CI.BAT: success for kernel: Expose SYS_kcmp by default (rev3) Patchwork
2021-02-06 14:21 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
2021-02-13 17:40 ` [PATCH] kernel: Expose SYS_kcmp by default Pavel Machek
2021-02-13 17:40 ` [Intel-gfx] " Pavel Machek
2021-02-13 17:40 ` Pavel Machek
2021-02-15 10:23 ` Lucas Stach
2021-02-15 10:23 ` [Intel-gfx] " Lucas Stach
2021-02-15 10:23 ` Lucas Stach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202102051030.1AF01772D@keescook \
--to=keescook@chromium.org \
--cc=airlied@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=chris@chris-wilson.co.uk \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jannh@google.com \
--cc=l.stach@pengutronix.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.