From: Andy Lutomirski <luto@amacapital.net>
To: Kees Cook <keescook@chromium.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Peter Zijlstra <peterz@infradead.org>,
James Morris <james.l.morris@oracle.com>,
Eric Paris <eparis@redhat.com>, Juri Lelli <juri.lelli@gmail.com>,
John Stultz <john.stultz@linaro.org>,
"David S. Miller" <davem@davemloft.net>,
Daniel Borkmann <dborkman@redhat.com>,
Alex Thorlton <athorlton@sgi.com>, Rik van Riel <riel@redhat.com>,
Daeseok Youn <daeseok.youn@gmail.com>,
David Rientjes <rientjes@google.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Dario Faggioli <raistlin@linux.it>,
Rashika Kheria <rashika.kheria@gmail.com>,
liguang <lig.fnst@cn.fujitsu.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Will Drewry <wad@chromium.org>, Julien Tinnes <jln@google.com>
Subject: Re: [PATCH v5 6/6] seccomp: add SECCOMP_EXT_ACT_TSYNC and SECCOMP_FILTER_TSYNC
Date: Mon, 26 May 2014 12:27:22 -0700 [thread overview]
Message-ID: <CALCETrX3fjeHeigLXy7Juq6XrNFEeZLQPLmQhiOwBDgc0MRtBw@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+=itFtHe25pZxXsk+1C1Cca4DGm83SC93=xRctUdeXsw@mail.gmail.com>
On Fri, May 23, 2014 at 10:05 AM, Kees Cook <keescook@chromium.org> wrote:
> On Thu, May 22, 2014 at 4:11 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Thu, May 22, 2014 at 4:05 PM, Kees Cook <keescook@chromium.org> wrote:
>>> Applying restrictive seccomp filter programs to large or diverse
>>> codebases often requires handling threads which may be started early in
>>> the process lifetime (e.g., by code that is linked in). While it is
>>> possible to apply permissive programs prior to process start up, it is
>>> difficult to further restrict the kernel ABI to those threads after that
>>> point.
>>>
>>> This change adds a new seccomp extension action for synchronizing thread
>>> group seccomp filters and a prctl() for accessing that functionality,
>>> as well as a flag for SECCOMP_EXT_ACT_FILTER to perform sync at filter
>>> installation time.
>>>
>>> When calling prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT, SECCOMP_EXT_ACT_FILTER,
>>> flags, filter) with flags containing SECCOMP_FILTER_TSYNC, or when calling
>>> prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT, SECCOMP_EXT_ACT_TSYNC, 0, 0), it
>>> will attempt to synchronize all threads in current's threadgroup to its
>>> seccomp filter program. This is possible iff all threads are using a filter
>>> that is an ancestor to the filter current is attempting to synchronize to.
>>> NULL filters (where the task is running as SECCOMP_MODE_NONE) are also
>>> treated as ancestors allowing threads to be transitioned into
>>> SECCOMP_MODE_FILTER. If prctrl(PR_SET_NO_NEW_PRIVS, ...) has been set on the
>>> calling thread, no_new_privs will be set for all synchronized threads too.
>>> On success, 0 is returned. On failure, the pid of one of the failing threads
>>> will be returned, with as many filters installed as possible.
>>
>> Is there a use case for adding a filter and synchronizing filters
>> being separate operations? If not, I think this would be easier to
>> understand and to use if there was just a single operation.
>
> Yes: if the other thread's lifetime is not well controlled, it's good
> to be able to have a distinct interface to retry the thread sync that
> doesn't require adding "no-op" filters.
Wouldn't this still be solved by:
seccomp_add_filter(final_filter, SECCOMP_FILTER_ALL_THREADS);
the idea would be that, if seccomp_add_filter fails, then you give up
and, if it succeeds, then you're done. It shouldn't fail unless out
of memory or you've nested too deeply.
>
>> If you did that, you'd have to decide whether to continue requiring
>> that all the other threads have a filter that's an ancestor of the
>> current thread's filter.
>
> This is required no matter what to make sure there is no way to
> replace a filter tree with a different one (allowing accidental
> bypasses, misbehavior, etc).
What I mean is: should the add-new-filter-to-all-threads operation
add the new filter to all threads, regardless of what their current
state is, or should it fail if any thread has a filter that isn't an
ancestor of the current thread's filter? Either version should be
safe.
--Andy
next prev parent reply other threads:[~2014-05-26 19:27 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-22 23:05 [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Kees Cook
2014-05-22 23:05 ` [PATCH v5 1/6] seccomp: create internal mode-setting function Kees Cook
2014-05-22 23:05 ` [PATCH v5 2/6] seccomp: split filter prep from check and apply Kees Cook
2014-05-22 23:05 ` [PATCH v5 3/6] seccomp: introduce writer locking Kees Cook
2014-05-23 0:28 ` Alexei Starovoitov
2014-05-23 8:49 ` Peter Zijlstra
2014-05-23 21:05 ` Kees Cook
2014-05-22 23:05 ` [PATCH v5 4/6] seccomp: move no_new_privs into seccomp Kees Cook
2014-05-22 23:08 ` Andy Lutomirski
2014-05-22 23:05 ` [PATCH v5 5/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_FILTER Kees Cook
2014-05-22 23:05 ` [PATCH v5 6/6] seccomp: add SECCOMP_EXT_ACT_TSYNC and SECCOMP_FILTER_TSYNC Kees Cook
2014-05-22 23:11 ` Andy Lutomirski
2014-05-23 17:05 ` Kees Cook
2014-05-26 19:27 ` Andy Lutomirski [this message]
2014-05-27 18:24 ` Kees Cook
2014-05-27 18:40 ` Andy Lutomirski
2014-05-27 18:45 ` Kees Cook
2014-05-27 19:10 ` Andy Lutomirski
2014-05-27 19:23 ` Kees Cook
2014-05-27 19:27 ` Andy Lutomirski
2014-05-27 19:55 ` Kees Cook
2014-06-02 20:53 ` Andy Lutomirski
2014-06-03 0:14 ` Kees Cook
2014-06-03 0:29 ` Andy Lutomirski
2014-06-03 1:09 ` Kees Cook
2014-06-03 1:15 ` Andy Lutomirski
2014-06-03 19:53 ` Kees Cook
2014-06-02 19:47 ` [PATCH v5 0/6] seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC Kees Cook
2014-06-02 19:59 ` Andy Lutomirski
2014-06-02 20:06 ` Kees Cook
2014-06-02 21:17 ` Andy Lutomirski
2014-06-02 23:05 ` Kees Cook
2014-06-02 23:08 ` Andy Lutomirski
2014-06-02 23:08 ` Andy Lutomirski
2014-06-03 10:12 ` Michael Kerrisk
2014-06-03 10:12 ` Michael Kerrisk
2014-06-03 23:47 ` Julien Tinnes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrX3fjeHeigLXy7Juq6XrNFEeZLQPLmQhiOwBDgc0MRtBw@mail.gmail.com \
--to=luto@amacapital.net \
--cc=athorlton@sgi.com \
--cc=daeseok.youn@gmail.com \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=geert@linux-m68k.org \
--cc=james.l.morris@oracle.com \
--cc=jln@google.com \
--cc=john.stultz@linaro.org \
--cc=juri.lelli@gmail.com \
--cc=keescook@chromium.org \
--cc=lig.fnst@cn.fujitsu.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=raistlin@linux.it \
--cc=rashika.kheria@gmail.com \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.