All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tycho Andersen <tycho@tycho.ws>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Linux Containers <containers@lists.linux-foundation.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Oleg Nesterov <oleg@redhat.com>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Tyler Hicks <tyhicks@canonical.com>,
	Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Subject: Re: [RFC 3/3] seccomp: add a way to get a listener fd from ptrace
Date: Wed, 14 Feb 2018 08:33:59 -0700	[thread overview]
Message-ID: <20180214153359.6wj6wclsqvgj4jlt@smitten> (raw)
In-Reply-To: <CAGXu5jLS2dzCjZOKa-W4kUdOPoJkRAq5Rsw1t5jX99v34yaoQw@mail.gmail.com>

On Tue, Feb 13, 2018 at 01:32:26PM -0800, Kees Cook wrote:
> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen <tycho@tycho.ws> wrote:
> > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace()
> > version which can acquire filters is useful. There are at least two reasons
> > this is preferable, even though it uses ptrace:
> >
> > 1. You can control tasks that aren't cooperating with you
> > 2. You can control tasks whose filters block sendmsg() and socket(); if the
> >    task installs a filter which blocks these calls, there's no way with
> >    SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task.
> 
> I got worried for a second that this would get us into a many-to-many
> state, but I see init_listener enforces a single listener per filter.
> Whew. Seems legit. :)

Yes, although if you sendmsg() the listener fd, you could still get
into that state, so it's still maybe a concern?

Tycho

  parent reply	other threads:[~2018-02-14 15:34 UTC|newest]

Thread overview: 59+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-04 10:49 [RFC 0/3] seccomp trap to userspace Tycho Andersen
2018-02-04 10:49 ` [RFC 1/3] seccomp: add a return code to " Tycho Andersen
2018-02-13 21:09   ` Kees Cook
     [not found]     ` <CAGXu5jLAAKY19a9iC1PmXRyuwdn1Zxr2Cb318zdzkqgYt8vtdg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 15:29       ` Tycho Andersen
2018-02-14 15:29         ` Tycho Andersen
2018-02-14 17:19         ` Andy Lutomirski
2018-02-14 17:23           ` Tycho Andersen
2018-02-15 14:48           ` Christian Brauner
     [not found]           ` <CALCETrXeZZfVzXh7SwKhyB=+ySDk5fhrrdrXrcABsQ=JpQT7Tg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 17:23             ` Tycho Andersen
2018-02-15 14:48             ` Christian Brauner
2018-02-27  0:49             ` Kees Cook
2018-02-27  0:49           ` Kees Cook
     [not found]             ` <CAGXu5jKBmej+fXhEc+Jy7Guy+vXEZkHnc=4LNm1NNEsc1=DFVA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27  3:27               ` Andy Lutomirski
2018-02-27  3:27                 ` Andy Lutomirski
2018-02-14 17:19         ` Andy Lutomirski
     [not found]   ` <20180204104946.25559-2-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-04 17:36     ` Andy Lutomirski
2018-02-04 17:36       ` Andy Lutomirski
     [not found]       ` <CALCETrWgu5n+SMqrsZQ7MVYPtzs8otuc7hpA5uPH+JNtFrMBkQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-04 20:01         ` Tycho Andersen
2018-02-04 20:01           ` Tycho Andersen
2018-02-04 20:33           ` Andy Lutomirski
     [not found]             ` <CALCETrV81yr_zhuBbCTE8NgYx42oq=qvP=nLMsST0iS2wtOZng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-05  8:47               ` Tycho Andersen
2018-02-05  8:47             ` Tycho Andersen
2018-02-04 20:33           ` Andy Lutomirski
2018-02-13 21:09     ` Kees Cook
2018-02-04 10:49 ` [RFC 2/3] seccomp: hoist out filter resolving logic Tycho Andersen
     [not found]   ` <20180204104946.25559-3-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-13 21:29     ` Kees Cook
2018-02-13 21:29   ` Kees Cook
2018-02-14 15:33     ` Tycho Andersen
2018-02-14 15:33     ` Tycho Andersen
     [not found] ` <20180204104946.25559-1-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-04 10:49   ` [RFC 1/3] seccomp: add a return code to trap to userspace Tycho Andersen
2018-02-04 10:49   ` [RFC 2/3] seccomp: hoist out filter resolving logic Tycho Andersen
2018-02-04 10:49   ` [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-03-15 16:09   ` [RFC 0/3] seccomp trap to userspace Christian Brauner
2018-02-04 10:49 ` [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
     [not found]   ` <20180204104946.25559-4-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-13 21:32     ` Kees Cook
2018-02-13 21:32       ` Kees Cook
     [not found]       ` <CAGXu5jLS2dzCjZOKa-W4kUdOPoJkRAq5Rsw1t5jX99v34yaoQw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 15:33         ` Tycho Andersen
2018-02-14 15:33       ` Tycho Andersen [this message]
2018-03-15 16:09 ` [RFC 0/3] seccomp trap to userspace Christian Brauner
     [not found]   ` <20180315160924.GA12744-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2018-03-15 16:56     ` Andy Lutomirski
2018-03-15 16:56       ` Andy Lutomirski
2018-03-15 17:05       ` Serge E. Hallyn
2018-03-15 17:11         ` Andy Lutomirski
2018-03-15 17:35           ` Tycho Andersen
2018-03-16  0:46             ` Andy Lutomirski
2018-03-16  0:46               ` Andy Lutomirski
     [not found]               ` <CALCETrWH7HbY2gS6O_cYKfp9QqqWBWVcHb++GaP3uUiSO9oo6g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-16 14:47                 ` Christian Brauner
2018-03-16 14:47                   ` Christian Brauner
2018-03-16 16:01                   ` Andy Lutomirski
     [not found]                     ` <D73E5C37-DC92-4D58-A163-0B20143AAEEB-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2018-03-16 16:40                       ` Christian Brauner
2018-03-16 16:40                     ` Christian Brauner
     [not found]                   ` <20180316144751.GA3304-cl+VPiYnx/1AfugRpC6u6w@public.gmane.org>
2018-03-16 16:01                     ` Andy Lutomirski
     [not found]           ` <CALCETrXPcCNbpFJhXktkVS9gOPpmnU_bbY6Z8RrsBarq0dP4Lg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-15 17:25             ` Christian Brauner
2018-03-15 17:25               ` Christian Brauner
     [not found]               ` <20180315172558.GA28108-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2018-03-15 17:30                 ` Andy Lutomirski
2018-03-15 17:30                   ` Andy Lutomirski
2018-03-15 17:35             ` Tycho Andersen
     [not found]         ` <20180315170509.GA32766-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2018-03-15 17:11           ` Andy Lutomirski
     [not found]       ` <CALCETrVnvbZLx5v=DMu2N1JtR+ys507X5CYBi-qQnus3VMQdwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-15 17:05         ` Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180214153359.6wj6wclsqvgj4jlt@smitten \
    --to=tycho@tycho.ws \
    --cc=christian.brauner@ubuntu.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=oleg@redhat.com \
    --cc=serge@hallyn.com \
    --cc=suda.akihiro@lab.ntt.co.jp \
    --cc=tyhicks@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.