From: Jann Horn <jannh@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: kernel list <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
Christian Brauner <christian@brauner.io>,
Sargun Dhillon <sargun@sargun.me>,
Tycho Andersen <tycho@tycho.ws>,
"zhujianwei (C)" <zhujianwei7@huawei.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Matthew Wilcox <willy@infradead.org>,
Andy Lutomirski <luto@kernel.org>, Shuah Khan <shuah@kernel.org>,
Matt Denton <mpdenton@google.com>,
Chris Palmer <palmer@google.com>,
Jeffrey Vander Stoep <jeffv@google.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Hehuazhen <hehuazhen@huawei.com>,
"the arch/x86 maintainers" <x86@kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH 3/8] seccomp: Introduce SECCOMP_PIN_ARCHITECTURE
Date: Wed, 17 Jun 2020 17:25:07 +0200 [thread overview]
Message-ID: <CAG48ez0-jSSaw85=ku35UM3vMe98Vz97B68LsUoNd8ftwpunkQ@mail.gmail.com> (raw)
In-Reply-To: <20200616074934.1600036-4-keescook@chromium.org>
On Tue, Jun 16, 2020 at 9:49 AM Kees Cook <keescook@chromium.org> wrote:
> For systems that provide multiple syscall maps based on architectures
> (e.g. AUDIT_ARCH_X86_64 and AUDIT_ARCH_I386 via CONFIG_COMPAT), allow
> a fast way to pin the process to a specific syscall mapping, instead of
> needing to generate all filters with an architecture check as the first
> filter action.
This seems reasonable; but can we maybe also add X86-specific handling
for that X32 mess? AFAIK there are four ways to do syscalls with
AUDIT_ARCH_X86_64:
1. normal x86-64 syscall, X32 bit unset (native case)
2. normal x86-64 syscall, X32 bit set (for X32 code calling syscalls
with no special X32 version)
3. x32-specific syscall, X32 bit unset (never happens legitimately)
4. x32-specific syscall, X32 bit set (for X32 code calling syscalls
with special X32 version)
(I got this wrong when I wrote the notes on x32 in the seccomp manpage...)
Can we add a flag for AUDIT_ARCH_X86_64 that says either "I want
native x64-64" (enforcing case 1) or "I want X32" (enforcing case 2 or
4, and in case 2 checking that the syscall has no X32 equivalent)? (Of
course, if the kernel is built without X32 support, we can leave out
these extra checks.)
> +static long seccomp_pin_architecture(void)
> +{
> +#ifdef CONFIG_COMPAT
> + u32 arch = syscall_get_arch(current);
> +
> + /* How did you even get here? */
> + if (current->seccomp.arch && current->seccomp.arch != arch)
> + return -EBUSY;
> +
> + current->seccomp.arch = arch;
> +#endif
> + return 0;
> +}
Are you intentionally writing this such that SECCOMP_PIN_ARCHITECTURE
only has an effect once you've installed a filter, and propagation to
other threads happens when a filter is installed with TSYNC? I guess
that is a possible way to design the API, but it seems like something
that should at least be pointed out explicitly.
next prev parent reply other threads:[~2020-06-17 15:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 7:49 [RFC][PATCH 0/8] seccomp: Implement constant action bitmaps Kees Cook
2020-06-16 7:49 ` [PATCH 1/8] selftests/seccomp: Improve calibration loop Kees Cook
2020-06-16 7:49 ` [PATCH 2/8] seccomp: Use pr_fmt Kees Cook
2020-06-16 7:49 ` [PATCH 3/8] seccomp: Introduce SECCOMP_PIN_ARCHITECTURE Kees Cook
2020-06-16 16:56 ` Andy Lutomirski
2020-06-17 15:25 ` Jann Horn [this message]
2020-06-17 15:29 ` Andy Lutomirski
2020-06-17 15:31 ` Jann Horn
2020-06-16 7:49 ` [PATCH 4/8] seccomp: Implement constant action bitmaps Kees Cook
2020-06-16 12:14 ` Jann Horn
2020-06-16 15:48 ` Kees Cook
2020-06-16 18:36 ` Jann Horn
2020-06-16 18:49 ` Kees Cook
2020-06-16 21:13 ` Andy Lutomirski
2020-06-16 14:40 ` Dave Hansen
2020-06-16 16:01 ` Kees Cook
2020-06-16 7:49 ` [PATCH 5/8] selftests/seccomp: Compare bitmap vs filter overhead Kees Cook
2020-06-16 7:49 ` [PATCH 6/8] x86: Provide API for local kernel TLB flushing Kees Cook
2020-06-16 16:59 ` Andy Lutomirski
2020-06-16 18:37 ` Kees Cook
2020-06-16 7:49 ` [PATCH 7/8] x86: Enable seccomp constant action bitmaps Kees Cook
2020-06-16 7:49 ` [PATCH 8/8] [DEBUG] seccomp: Report bitmap coverage ranges Kees Cook
2020-06-16 17:01 ` [RFC][PATCH 0/8] seccomp: Implement constant action bitmaps Andy Lutomirski
2020-06-16 18:35 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG48ez0-jSSaw85=ku35UM3vMe98Vz97B68LsUoNd8ftwpunkQ@mail.gmail.com' \
--to=jannh@google.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=dave.hansen@linux.intel.com \
--cc=hehuazhen@huawei.com \
--cc=jeffv@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mpdenton@google.com \
--cc=palmer@google.com \
--cc=sargun@sargun.me \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=wad@chromium.org \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=zhujianwei7@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.