From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B15F5C433E0 for ; Fri, 5 Feb 2021 18:39:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5A5AF64E2A for ; Fri, 5 Feb 2021 18:39:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233509AbhBEQ5V (ORCPT ); Fri, 5 Feb 2021 11:57:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232977AbhBEQz3 (ORCPT ); Fri, 5 Feb 2021 11:55:29 -0500 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4859C061574 for ; Fri, 5 Feb 2021 10:37:11 -0800 (PST) Received: by mail-pl1-x634.google.com with SMTP id e12so4020112pls.4 for ; Fri, 05 Feb 2021 10:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=OFwHGZmM8wqHN2mLtpKT/FoZS4DuP474ucBXNcxTZVA=; b=GLeIyrcnqQ4/LFNG6+Afvlafscx8C1O0gOHaXxsKan7L74NiEwk4WspSkwax8j2c0Z GNc/abUAOOIDjyt4g1biPXNH+3wBCCE+I+dRQ02xNGxfiTNDp0/YCmfC6eKmCyqaEDLQ 7wmxgWATXFhXmHIbm7ZMs0lTj8EbwgrL+rcAo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=OFwHGZmM8wqHN2mLtpKT/FoZS4DuP474ucBXNcxTZVA=; b=J/oxm0KmXCdz4JKucHoX5EeF91M99OIDPfMTrQCpdUVpXl1GEGPZT4hH0mtuIL28F9 hMVF5dRkfFm+ipbVq90LKP6McMqbgsTRyaRd4B0aKu6cZAkBFoWswjI4nsoOOSGj6z4/ G76bA9AJsRLkgn0C68KJxdtXOt/PgK7xERwnpVBEGXgW3HubErCK94KKJ1ltT3BG63kx 4QVbm1/+sOQxldKk1D85JJQzv2LOggSuL1KTJNuxF5U6Fb+bhevGrQpZbexEcrM1Hujg IKmb+hSRU0dllxQTIFy92DTk7Ijy11kFlNI5JRBFj5l9Vrn1W4o5PEukv+Sr8wyomFvT n1og== X-Gm-Message-State: AOAM533Sib9/WnUbDwF/Fggk2BJThAtpe/gflfIu4l4/WiBOL0a9NmzG vLY/5fdZTLgLAERVRne5+Nji3Q== X-Google-Smtp-Source: ABdhPJzron7Uw0ANgFuv3nlVXe+SFekWhPglquTB3GJVXUFuMXmBgZp20nzR2OqsYV350RyuicQFTA== X-Received: by 2002:a17:902:82cb:b029:e1:2b0f:da57 with SMTP id u11-20020a17090282cbb02900e12b0fda57mr5302564plz.33.1612550231379; Fri, 05 Feb 2021 10:37:11 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o1sm10799989pgq.1.2021.02.05.10.37.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Feb 2021 10:37:10 -0800 (PST) Date: Fri, 5 Feb 2021 10:37:09 -0800 From: Kees Cook To: Chris Wilson Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, Andy Lutomirski , Will Drewry , Andrew Morton , Dave Airlie , Daniel Vetter , Lucas Stach , jannh@google.com Subject: Re: [PATCH] kernel: Expose SYS_kcmp by default Message-ID: <202102051030.1AF01772D@keescook> References: <20210205163752.11932-1-chris@chris-wilson.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210205163752.11932-1-chris@chris-wilson.co.uk> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote: > Userspace has discovered the functionality offered by SYS_kcmp and has > started to depend upon it. In particular, Mesa uses SYS_kcmp for > os_same_file_description() in order to identify when two fd (e.g. device > or dmabuf) point to the same struct file. Since they depend on it for > core functionality, lift SYS_kcmp out of the non-default > CONFIG_CHECKPOINT_RESTORE into the selectable syscall category. > > Signed-off-by: Chris Wilson > Cc: Kees Cook > Cc: Andy Lutomirski > Cc: Will Drewry > Cc: Andrew Morton > Cc: Dave Airlie > Cc: Daniel Vetter > Cc: Lucas Stach > --- > init/Kconfig | 11 +++++++++++ > kernel/Makefile | 2 +- > tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- > 3 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/init/Kconfig b/init/Kconfig > index b77c60f8b963..f62fca13ac5b 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1194,6 +1194,7 @@ endif # NAMESPACES > config CHECKPOINT_RESTORE > bool "Checkpoint/restore support" > select PROC_CHILDREN > + select KCMP > default n > help > Enables additional kernel features in a sake of checkpoint/restore. > @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS > config ARCH_HAS_MEMBARRIER_SYNC_CORE > bool > > +config KCMP > + bool "Enable kcmp() system call" if EXPERT > + default y I would expect this to be not default-y, especially if CHECKPOINT_RESTORE does a "select" on it. This is a really powerful syscall, but it is bounded by ptrace access controls, and uses pointer address obfuscation, so it may be okay to expose this. As it is, at least Ubuntu already has CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much difference on exposure. So, if you drop the "default y", I'm fine with this. -Kees > + help > + Enable the file descriptor comparison system call. It provides > + user-space with the ability to compare two fd to see if they > + point to the same file, and check other attributes. > + > + If unsure, say Y. > + > config RSEQ > bool "Enable rseq() system call" if EXPERT > default y > diff --git a/kernel/Makefile b/kernel/Makefile > index aa7368c7eabf..320f1f3941b7 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -51,7 +51,7 @@ obj-y += livepatch/ > obj-y += dma/ > obj-y += entry/ > > -obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o > +obj-$(CONFIG_KCMP) += kcmp.o > obj-$(CONFIG_FREEZER) += freezer.o > obj-$(CONFIG_PROFILING) += profile.o > obj-$(CONFIG_STACKTRACE) += stacktrace.o > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c > index 26c72f2b61b1..1b6c7d33c4ff 100644 > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > @@ -315,7 +315,7 @@ TEST(kcmp) > ret = __filecmp(getpid(), getpid(), 1, 1); > EXPECT_EQ(ret, 0); > if (ret != 0 && errno == ENOSYS) > - SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)"); > + SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)"); > } > > TEST(mode_strict_support) > -- > 2.20.1 > -- Kees Cook From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED31AC433E9 for ; Fri, 5 Feb 2021 18:37:15 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6D57764E2A for ; Fri, 5 Feb 2021 18:37:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6D57764E2A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8920A6E342; Fri, 5 Feb 2021 18:37:13 +0000 (UTC) Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by gabe.freedesktop.org (Postfix) with ESMTPS id C432F6E342 for ; Fri, 5 Feb 2021 18:37:11 +0000 (UTC) Received: by mail-pl1-x635.google.com with SMTP id u15so4036092plf.1 for ; Fri, 05 Feb 2021 10:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=OFwHGZmM8wqHN2mLtpKT/FoZS4DuP474ucBXNcxTZVA=; b=GLeIyrcnqQ4/LFNG6+Afvlafscx8C1O0gOHaXxsKan7L74NiEwk4WspSkwax8j2c0Z GNc/abUAOOIDjyt4g1biPXNH+3wBCCE+I+dRQ02xNGxfiTNDp0/YCmfC6eKmCyqaEDLQ 7wmxgWATXFhXmHIbm7ZMs0lTj8EbwgrL+rcAo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=OFwHGZmM8wqHN2mLtpKT/FoZS4DuP474ucBXNcxTZVA=; b=cd5KSRPZ37QtcScMhreUWa5BRpvQ1B2bHRg6ENv36oyt6GDzCSBD+7txLWypBIWRxv w10NwtqMXq/jc5GNG2Q331wO8H7FK0kqsS8XJKdPBmHDZRq+j6BxRDCLRsD/uLg/waG+ 4Ac2/v/o9/6ln4DACRVwuUcfq+B8D//sjXh/mTBVn/uc/B/LG2Of8V5GvCOmK3+A+DWS SZ00b+YV+oIVp8GeFlTej3lC7OLCfYE1CI49lRiQY63hzDZIGlb77U5/ePQw9bcVyvXY 9axdJTJX7R9Ndgut53FVV/4M91JtpheBSdzr1v9wp6GRxwVJM/yYpbDU354e5n6buhRp 9kqQ== X-Gm-Message-State: AOAM533BIW4zZ93o1TmFWg1152Ux0rSIQi+RofARG7KNceqT0FXYc9Ll mt8uH/W1+JZ0d218f5bND1B5yw== X-Google-Smtp-Source: ABdhPJzron7Uw0ANgFuv3nlVXe+SFekWhPglquTB3GJVXUFuMXmBgZp20nzR2OqsYV350RyuicQFTA== X-Received: by 2002:a17:902:82cb:b029:e1:2b0f:da57 with SMTP id u11-20020a17090282cbb02900e12b0fda57mr5302564plz.33.1612550231379; Fri, 05 Feb 2021 10:37:11 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o1sm10799989pgq.1.2021.02.05.10.37.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Feb 2021 10:37:10 -0800 (PST) Date: Fri, 5 Feb 2021 10:37:09 -0800 From: Kees Cook To: Chris Wilson Subject: Re: [PATCH] kernel: Expose SYS_kcmp by default Message-ID: <202102051030.1AF01772D@keescook> References: <20210205163752.11932-1-chris@chris-wilson.co.uk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210205163752.11932-1-chris@chris-wilson.co.uk> X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Will Drewry , jannh@google.com, intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Andy Lutomirski , Andrew Morton Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote: > Userspace has discovered the functionality offered by SYS_kcmp and has > started to depend upon it. In particular, Mesa uses SYS_kcmp for > os_same_file_description() in order to identify when two fd (e.g. device > or dmabuf) point to the same struct file. Since they depend on it for > core functionality, lift SYS_kcmp out of the non-default > CONFIG_CHECKPOINT_RESTORE into the selectable syscall category. > > Signed-off-by: Chris Wilson > Cc: Kees Cook > Cc: Andy Lutomirski > Cc: Will Drewry > Cc: Andrew Morton > Cc: Dave Airlie > Cc: Daniel Vetter > Cc: Lucas Stach > --- > init/Kconfig | 11 +++++++++++ > kernel/Makefile | 2 +- > tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- > 3 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/init/Kconfig b/init/Kconfig > index b77c60f8b963..f62fca13ac5b 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1194,6 +1194,7 @@ endif # NAMESPACES > config CHECKPOINT_RESTORE > bool "Checkpoint/restore support" > select PROC_CHILDREN > + select KCMP > default n > help > Enables additional kernel features in a sake of checkpoint/restore. > @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS > config ARCH_HAS_MEMBARRIER_SYNC_CORE > bool > > +config KCMP > + bool "Enable kcmp() system call" if EXPERT > + default y I would expect this to be not default-y, especially if CHECKPOINT_RESTORE does a "select" on it. This is a really powerful syscall, but it is bounded by ptrace access controls, and uses pointer address obfuscation, so it may be okay to expose this. As it is, at least Ubuntu already has CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much difference on exposure. So, if you drop the "default y", I'm fine with this. -Kees > + help > + Enable the file descriptor comparison system call. It provides > + user-space with the ability to compare two fd to see if they > + point to the same file, and check other attributes. > + > + If unsure, say Y. > + > config RSEQ > bool "Enable rseq() system call" if EXPERT > default y > diff --git a/kernel/Makefile b/kernel/Makefile > index aa7368c7eabf..320f1f3941b7 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -51,7 +51,7 @@ obj-y += livepatch/ > obj-y += dma/ > obj-y += entry/ > > -obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o > +obj-$(CONFIG_KCMP) += kcmp.o > obj-$(CONFIG_FREEZER) += freezer.o > obj-$(CONFIG_PROFILING) += profile.o > obj-$(CONFIG_STACKTRACE) += stacktrace.o > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c > index 26c72f2b61b1..1b6c7d33c4ff 100644 > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > @@ -315,7 +315,7 @@ TEST(kcmp) > ret = __filecmp(getpid(), getpid(), 1, 1); > EXPECT_EQ(ret, 0); > if (ret != 0 && errno == ENOSYS) > - SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)"); > + SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)"); > } > > TEST(mode_strict_support) > -- > 2.20.1 > -- Kees Cook _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95FABC433DB for ; Fri, 5 Feb 2021 18:37:13 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2FEE264EE8 for ; Fri, 5 Feb 2021 18:37:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2FEE264EE8 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 9891C6E0DF; Fri, 5 Feb 2021 18:37:12 +0000 (UTC) Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by gabe.freedesktop.org (Postfix) with ESMTPS id B88836E0DF for ; Fri, 5 Feb 2021 18:37:11 +0000 (UTC) Received: by mail-pj1-x1035.google.com with SMTP id d2so4306438pjs.4 for ; Fri, 05 Feb 2021 10:37:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=OFwHGZmM8wqHN2mLtpKT/FoZS4DuP474ucBXNcxTZVA=; b=GLeIyrcnqQ4/LFNG6+Afvlafscx8C1O0gOHaXxsKan7L74NiEwk4WspSkwax8j2c0Z GNc/abUAOOIDjyt4g1biPXNH+3wBCCE+I+dRQ02xNGxfiTNDp0/YCmfC6eKmCyqaEDLQ 7wmxgWATXFhXmHIbm7ZMs0lTj8EbwgrL+rcAo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=OFwHGZmM8wqHN2mLtpKT/FoZS4DuP474ucBXNcxTZVA=; b=a/tWKG8iZhGTgbO+EkLbnMFjJR0xJWchBDpC7ZiRuT1Yaxx4WJl7xbmJFc2merHi9+ Z1Aoy9SDbxTNXmEQosKgLzuNa6uZktHyT6EsHWTKPqqNi8CRMSssx26j+E4dAOxmgA6V lSZLYK6pBwkqAcexc0gTFJPhqOfvlFgkpafJ81kH1L7eXJlE5/SzFuxzc4QYLfsuQVKi JH4PlNFFyqevUT5pLor3M8gfu1JIzvPkpauQ2zGd11g/EIjpEo/pPcCRF1vIHTXb3dTs SjvyzRby88iDsZ6jOodOdlpI6mtmlnOMZ5HhV0PGR9kne651d5wggDORWhtonXxF+b5Z HvSg== X-Gm-Message-State: AOAM532jGkuqheNUmpAK4Mua5gyljAe+KcD35yR/2CmIhrFrJAD/n570 qzvRfZ7bNKufnDt62116XgCqZw== X-Google-Smtp-Source: ABdhPJzron7Uw0ANgFuv3nlVXe+SFekWhPglquTB3GJVXUFuMXmBgZp20nzR2OqsYV350RyuicQFTA== X-Received: by 2002:a17:902:82cb:b029:e1:2b0f:da57 with SMTP id u11-20020a17090282cbb02900e12b0fda57mr5302564plz.33.1612550231379; Fri, 05 Feb 2021 10:37:11 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id o1sm10799989pgq.1.2021.02.05.10.37.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Feb 2021 10:37:10 -0800 (PST) Date: Fri, 5 Feb 2021 10:37:09 -0800 From: Kees Cook To: Chris Wilson Message-ID: <202102051030.1AF01772D@keescook> References: <20210205163752.11932-1-chris@chris-wilson.co.uk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210205163752.11932-1-chris@chris-wilson.co.uk> Subject: Re: [Intel-gfx] [PATCH] kernel: Expose SYS_kcmp by default X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Will Drewry , jannh@google.com, intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Andy Lutomirski , Andrew Morton , Lucas Stach Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote: > Userspace has discovered the functionality offered by SYS_kcmp and has > started to depend upon it. In particular, Mesa uses SYS_kcmp for > os_same_file_description() in order to identify when two fd (e.g. device > or dmabuf) point to the same struct file. Since they depend on it for > core functionality, lift SYS_kcmp out of the non-default > CONFIG_CHECKPOINT_RESTORE into the selectable syscall category. > > Signed-off-by: Chris Wilson > Cc: Kees Cook > Cc: Andy Lutomirski > Cc: Will Drewry > Cc: Andrew Morton > Cc: Dave Airlie > Cc: Daniel Vetter > Cc: Lucas Stach > --- > init/Kconfig | 11 +++++++++++ > kernel/Makefile | 2 +- > tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- > 3 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/init/Kconfig b/init/Kconfig > index b77c60f8b963..f62fca13ac5b 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1194,6 +1194,7 @@ endif # NAMESPACES > config CHECKPOINT_RESTORE > bool "Checkpoint/restore support" > select PROC_CHILDREN > + select KCMP > default n > help > Enables additional kernel features in a sake of checkpoint/restore. > @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS > config ARCH_HAS_MEMBARRIER_SYNC_CORE > bool > > +config KCMP > + bool "Enable kcmp() system call" if EXPERT > + default y I would expect this to be not default-y, especially if CHECKPOINT_RESTORE does a "select" on it. This is a really powerful syscall, but it is bounded by ptrace access controls, and uses pointer address obfuscation, so it may be okay to expose this. As it is, at least Ubuntu already has CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much difference on exposure. So, if you drop the "default y", I'm fine with this. -Kees > + help > + Enable the file descriptor comparison system call. It provides > + user-space with the ability to compare two fd to see if they > + point to the same file, and check other attributes. > + > + If unsure, say Y. > + > config RSEQ > bool "Enable rseq() system call" if EXPERT > default y > diff --git a/kernel/Makefile b/kernel/Makefile > index aa7368c7eabf..320f1f3941b7 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -51,7 +51,7 @@ obj-y += livepatch/ > obj-y += dma/ > obj-y += entry/ > > -obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o > +obj-$(CONFIG_KCMP) += kcmp.o > obj-$(CONFIG_FREEZER) += freezer.o > obj-$(CONFIG_PROFILING) += profile.o > obj-$(CONFIG_STACKTRACE) += stacktrace.o > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c > index 26c72f2b61b1..1b6c7d33c4ff 100644 > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > @@ -315,7 +315,7 @@ TEST(kcmp) > ret = __filecmp(getpid(), getpid(), 1, 1); > EXPECT_EQ(ret, 0); > if (ret != 0 && errno == ENOSYS) > - SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)"); > + SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)"); > } > > TEST(mode_strict_support) > -- > 2.20.1 > -- Kees Cook _______________________________________________ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gfx