From: Tycho Andersen <tycho@tycho.ws>
To: Christian Brauner <christian@brauner.io>
Cc: Jann Horn <jannh@google.com>, Paul Moore <paul@paul-moore.com>,
Kees Cook <keescook@chromium.org>,
Linux API <linux-api@vger.kernel.org>,
containers@lists.linux-foundation.org,
suda.akihiro@lab.ntt.co.jp, Oleg Nesterov <oleg@redhat.com>,
kernel list <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-fsdevel@vger.kernel.org,
Christian Brauner <christian.brauner@ubuntu.com>,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module <linux-security-module@vger.kernel.org>,
selinux@tycho.nsa.gov, Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>
Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace
Date: Wed, 10 Oct 2018 09:54:58 -0700 [thread overview]
Message-ID: <20181010165458.GA5607@cisco> (raw)
In-Reply-To: <20181010153956.zzlatxdlcwolbs6k@brauner.io>
On Wed, Oct 10, 2018 at 05:39:57PM +0200, Christian Brauner wrote:
> On Wed, Oct 10, 2018 at 05:33:43PM +0200, Jann Horn wrote:
> > On Wed, Oct 10, 2018 at 5:32 PM Paul Moore <paul@paul-moore.com> wrote:
> > > On Tue, Oct 9, 2018 at 9:36 AM Jann Horn <jannh@google.com> wrote:
> > > > +cc selinux people explicitly, since they probably have opinions on this
> > >
> > > I just spent about twenty minutes working my way through this thread,
> > > and digging through the containers archive trying to get a good
> > > understanding of what you guys are trying to do, and I'm not quite
> > > sure I understand it all. However, from what I have seen, this
> > > approach looks very ptrace-y to me (I imagine to others as well based
> > > on the comments) and because of this I think ensuring the usual ptrace
> > > access controls are evaluated, including the ptrace LSM hooks, is the
> > > right thing to do.
> >
> > Basically the problem is that this new ptrace() API does something
> > that doesn't just influence the target task, but also every other task
> > that has the same seccomp filter. So the classic ptrace check doesn't
> > work here.
>
> Just to throw this into the mix: then maybe ptrace() isn't the right
> interface and we should just go with the native seccomp() approach for
> now.
Please no :).
I don't buy your arguments that 3-syscalls vs. one is better. If I'm
doing this setup with a new container, I have to do
clone(CLONE_FILES), do this seccomp thing, so that my parent can pick
it up again, then do another clone without CLONE_FILES, because in the
general case I don't want to share my fd table with the container,
wait on the middle task for errors, etc. So we're still doing a bunch
of setup, and it feels more awkward than ptrace, with at least as many
syscalls, and it only works for your children.
I don't mind leaving capable(CAP_SYS_ADMIN) for the ptrace() part,
though. So if that's ok, then I think we can agree :)
Tycho
next prev parent reply other threads:[~2018-10-10 16:55 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-27 15:11 [PATCH v7 0/6] seccomp trap to userspace Tycho Andersen
2018-09-27 15:11 ` [PATCH v7 1/6] seccomp: add a return code to " Tycho Andersen
2018-09-27 21:31 ` Kees Cook
2018-09-27 22:48 ` Tycho Andersen
2018-09-27 22:48 ` Tycho Andersen
2018-09-27 23:10 ` Kees Cook
2018-09-28 14:39 ` Tycho Andersen
2018-10-08 14:58 ` Christian Brauner
2018-10-09 14:28 ` Tycho Andersen
2018-10-09 16:24 ` Christian Brauner
2018-10-09 16:29 ` Tycho Andersen
2018-10-17 20:29 ` Tycho Andersen
2018-10-17 22:21 ` Kees Cook
2018-10-17 22:33 ` Tycho Andersen
2018-10-21 16:04 ` Tycho Andersen
2018-10-22 9:42 ` Christian Brauner
2018-09-27 21:51 ` Jann Horn
2018-09-27 22:45 ` Kees Cook
2018-09-27 23:08 ` Tycho Andersen
2018-09-27 23:04 ` Tycho Andersen
2018-09-27 23:37 ` Jann Horn
2018-09-29 0:28 ` Aleksa Sarai
2018-09-27 15:11 ` [PATCH v7 2/6] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
2018-09-27 16:51 ` Jann Horn
2018-09-27 21:42 ` Kees Cook
2018-10-08 13:55 ` Christian Brauner
2018-09-27 15:11 ` [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-09-27 16:20 ` Jann Horn
2018-09-27 16:34 ` Tycho Andersen
2018-09-27 17:35 ` Jann Horn
2018-09-27 18:09 ` Tycho Andersen
2018-09-27 21:53 ` Kees Cook
2018-10-08 15:16 ` Christian Brauner
2018-10-08 15:33 ` Jann Horn
2018-10-08 16:21 ` Christian Brauner
2018-10-08 16:42 ` Jann Horn
2018-10-08 18:18 ` Christian Brauner
2018-10-09 12:39 ` Jann Horn
2018-10-09 13:28 ` Christian Brauner
2018-10-09 13:36 ` Jann Horn
2018-10-09 13:49 ` Christian Brauner
2018-10-09 13:50 ` Jann Horn
2018-10-09 14:09 ` Christian Brauner
2018-10-09 15:26 ` Jann Horn
2018-10-09 16:20 ` Christian Brauner
2018-10-09 16:26 ` Jann Horn
2018-10-10 12:54 ` Christian Brauner
2018-10-10 13:09 ` Christian Brauner
2018-10-10 13:10 ` Jann Horn
2018-10-10 13:18 ` Christian Brauner
2018-10-10 15:31 ` Paul Moore
2018-10-10 15:33 ` Jann Horn
2018-10-10 15:39 ` Christian Brauner
2018-10-10 16:54 ` Tycho Andersen [this message]
2018-10-10 17:15 ` Christian Brauner
2018-10-10 17:26 ` Tycho Andersen
2018-10-10 18:28 ` Christian Brauner
2018-10-11 7:24 ` Paul Moore
2018-10-11 7:24 ` Paul Moore
2018-10-11 13:39 ` Jann Horn
2018-10-11 23:10 ` Paul Moore
2018-10-11 23:10 ` Paul Moore
2018-10-12 1:02 ` Andy Lutomirski
2018-10-12 20:02 ` Tycho Andersen
2018-10-12 20:06 ` Jann Horn
2018-10-12 20:06 ` Jann Horn
2018-10-12 20:11 ` Christian Brauner
2018-10-08 18:00 ` Tycho Andersen
2018-10-08 18:41 ` Christian Brauner
2018-10-10 17:45 ` Andy Lutomirski
2018-10-10 18:26 ` Christian Brauner
2018-09-27 15:11 ` [PATCH v7 4/6] files: add a replace_fd_files() function Tycho Andersen
2018-09-27 16:49 ` Jann Horn
2018-09-27 18:04 ` Tycho Andersen
2018-09-27 21:59 ` Kees Cook
2018-09-28 2:20 ` Kees Cook
2018-09-28 2:46 ` Jann Horn
2018-09-28 5:23 ` Tycho Andersen
2018-09-27 15:11 ` [PATCH v7 5/6] seccomp: add a way to pass FDs via a notification fd Tycho Andersen
2018-09-27 16:39 ` Jann Horn
2018-09-27 22:13 ` Tycho Andersen
2018-09-27 19:28 ` Jann Horn
2018-09-27 22:14 ` Tycho Andersen
2018-09-27 22:17 ` Jann Horn
2018-09-27 22:49 ` Tycho Andersen
2018-09-27 22:09 ` Kees Cook
2018-09-27 22:15 ` Tycho Andersen
2018-09-27 15:11 ` [PATCH v7 6/6] samples: add an example of seccomp user trap Tycho Andersen
2018-09-27 22:11 ` Kees Cook
2018-09-28 21:57 ` [PATCH v7 0/6] seccomp trap to userspace Michael Kerrisk (man-opages)
2018-09-28 22:03 ` Tycho Andersen
2018-09-28 22:16 ` Michael Kerrisk (man-pages)
2018-09-28 22:34 ` Kees Cook
2018-09-28 22:46 ` Michael Kerrisk (man-pages)
2018-09-28 22:48 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181010165458.GA5607@cisco \
--to=tycho@tycho.ws \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=suda.akihiro@lab.ntt.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.