From: "Mickaël Salaün" <mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
To: Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Andreas Gruenbacher
<agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Arnd Bergmann <arnd-r2nGTMty4D4@public.gmane.org>,
Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>,
David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
James Morris
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Jeff Dike <jdike-OPE4K8JWMJJBDgjK7y7TUQ@public.gmane.org>,
Julien Tinnes <jln-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>,
"Serge E . Hallyn"
<serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
Tetsuo Handa
<penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org>,
Will Drewry <wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org
Subject: Re: [RFC v1 05/17] security/seccomp: Add LSM and create arrays of syscall metadata
Date: Thu, 24 Mar 2016 22:31:28 +0100 [thread overview]
Message-ID: <56F45CB0.6090706@digikod.net> (raw)
In-Reply-To: <56F40F3F.90708-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
[-- Attachment #1.1: Type: text/plain, Size: 3599 bytes --]
On 24/03/2016 17:01, Casey Schaufler wrote:
> On 3/23/2016 6:46 PM, Mickaël Salaün wrote:
>> diff --git a/security/seccomp/lsm.c b/security/seccomp/lsm.c
>> new file mode 100644
>> index 000000000000..93c881724341
>> --- /dev/null
>> +++ b/security/seccomp/lsm.c
>> @@ -0,0 +1,87 @@
>> +/*
>> + * Seccomp Linux Security Module
>> + *
>> + * Copyright (C) 2016 Mickaël Salaün <mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License version 2, as
>> + * published by the Free Software Foundation.
>> + */
>> +
>> +#include <asm/syscall.h> /* sys_call_table */
>> +#include <linux/compat.h>
>> +#include <linux/slab.h> /* kcalloc() */
>> +#include <linux/syscalls.h> /* syscall_argdesc */
>> +
>> +#include "lsm.h"
>> +
>> +/* TODO: Remove the need for CONFIG_SYSFS dependency */
>> +
>> +struct syscall_argdesc (*seccomp_syscalls_argdesc)[] = NULL;
>> +#ifdef CONFIG_COMPAT
>> +struct syscall_argdesc (*compat_seccomp_syscalls_argdesc)[] = NULL;
>> +#endif /* CONFIG_COMPAT */
>> +
>> +static const struct syscall_argdesc *__init
>> +find_syscall_argdesc(const struct syscall_argdesc *start,
>> + const struct syscall_argdesc *stop, const void *addr)
>> +{
>> + if (unlikely(!addr || !start || !stop)) {
>> + WARN_ON(1);
>> + return NULL;
>> + }
>> +
>> + for (; start < stop; start++) {
>> + if (start->addr == addr)
>> + return start;
>> + }
>> + return NULL;
>> +}
>> +
>> +static inline void __init init_argdesc(void)
>> +{
>> + const struct syscall_argdesc *argdesc;
>> + const void *addr;
>> + int i;
>> +
>> + seccomp_syscalls_argdesc = kcalloc(NR_syscalls,
>> + sizeof((*seccomp_syscalls_argdesc)[0]), GFP_KERNEL);
>> + if (unlikely(!seccomp_syscalls_argdesc)) {
>> + WARN_ON(1);
>> + return;
>> + }
>> + for (i = 0; i < NR_syscalls; i++) {
>> + addr = sys_call_table[i];
>> + argdesc = find_syscall_argdesc(__start_syscalls_argdesc,
>> + __stop_syscalls_argdesc, addr);
>> + if (!argdesc)
>> + continue;
>> +
>> + (*seccomp_syscalls_argdesc)[i] = *argdesc;
>> + }
>> +
>> +#ifdef CONFIG_COMPAT
>> + compat_seccomp_syscalls_argdesc = kcalloc(IA32_NR_syscalls,
>> + sizeof((*compat_seccomp_syscalls_argdesc)[0]),
>> + GFP_KERNEL);
>> + if (unlikely(!compat_seccomp_syscalls_argdesc)) {
>> + WARN_ON(1);
>> + return;
>> + }
>> + for (i = 0; i < IA32_NR_syscalls; i++) {
>> + addr = ia32_sys_call_table[i];
>> + argdesc = find_syscall_argdesc(__start_compat_syscalls_argdesc,
>> + __stop_compat_syscalls_argdesc, addr);
>> + if (!argdesc)
>> + continue;
>> +
>> + (*compat_seccomp_syscalls_argdesc)[i] = *argdesc;
>> + }
>> +#endif /* CONFIG_COMPAT */
>> +}
>> +
>> +void __init seccomp_init(void)
>> +{
>> + pr_info("seccomp: Becoming ready for sandboxing\n");
>> + init_argdesc();
>> +}
>
> This isn't using the LSM infrastructure at all, is it?
> It looks like the only reason you're calling it a security
> module is to get the initialization code called in
> security_init().
>
> Let me amend my previous comment, which was to change
> the name of seccomp_init(). Leave it as is, but add a
> comment before it that explains why you've put the
> call in the midst of the security module initialization.
The patch "[RFC v1 16/17] security/seccomp: Protect against filesystem TOCTOU" add LSM hooks, so it make sense to follow your first comment and rename seccomp_init() to seccomp_add_hooks().
Mickaël
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: Casey Schaufler <casey@schaufler-ca.com>,
linux-security-module@vger.kernel.org
Cc: Andreas Gruenbacher <agruenba@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Daniel Borkmann <daniel@iogearbox.net>,
David Drysdale <drysdale@google.com>,
Eric Paris <eparis@redhat.com>,
James Morris <james.l.morris@oracle.com>,
Jeff Dike <jdike@addtoit.com>, Julien Tinnes <jln@google.com>,
Kees Cook <keescook@chromium.org>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Paul Moore <pmoore@redhat.com>,
Richard Weinberger <richard@nod.at>,
"Serge E . Hallyn" <serge@hallyn.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Will Drewry <wad@chromium.org>,
linux-api@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [RFC v1 05/17] security/seccomp: Add LSM and create arrays of syscall metadata
Date: Thu, 24 Mar 2016 22:31:28 +0100 [thread overview]
Message-ID: <56F45CB0.6090706@digikod.net> (raw)
In-Reply-To: <56F40F3F.90708@schaufler-ca.com>
[-- Attachment #1.1: Type: text/plain, Size: 3571 bytes --]
On 24/03/2016 17:01, Casey Schaufler wrote:
> On 3/23/2016 6:46 PM, Mickaël Salaün wrote:
>> diff --git a/security/seccomp/lsm.c b/security/seccomp/lsm.c
>> new file mode 100644
>> index 000000000000..93c881724341
>> --- /dev/null
>> +++ b/security/seccomp/lsm.c
>> @@ -0,0 +1,87 @@
>> +/*
>> + * Seccomp Linux Security Module
>> + *
>> + * Copyright (C) 2016 Mickaël Salaün <mic@digikod.net>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License version 2, as
>> + * published by the Free Software Foundation.
>> + */
>> +
>> +#include <asm/syscall.h> /* sys_call_table */
>> +#include <linux/compat.h>
>> +#include <linux/slab.h> /* kcalloc() */
>> +#include <linux/syscalls.h> /* syscall_argdesc */
>> +
>> +#include "lsm.h"
>> +
>> +/* TODO: Remove the need for CONFIG_SYSFS dependency */
>> +
>> +struct syscall_argdesc (*seccomp_syscalls_argdesc)[] = NULL;
>> +#ifdef CONFIG_COMPAT
>> +struct syscall_argdesc (*compat_seccomp_syscalls_argdesc)[] = NULL;
>> +#endif /* CONFIG_COMPAT */
>> +
>> +static const struct syscall_argdesc *__init
>> +find_syscall_argdesc(const struct syscall_argdesc *start,
>> + const struct syscall_argdesc *stop, const void *addr)
>> +{
>> + if (unlikely(!addr || !start || !stop)) {
>> + WARN_ON(1);
>> + return NULL;
>> + }
>> +
>> + for (; start < stop; start++) {
>> + if (start->addr == addr)
>> + return start;
>> + }
>> + return NULL;
>> +}
>> +
>> +static inline void __init init_argdesc(void)
>> +{
>> + const struct syscall_argdesc *argdesc;
>> + const void *addr;
>> + int i;
>> +
>> + seccomp_syscalls_argdesc = kcalloc(NR_syscalls,
>> + sizeof((*seccomp_syscalls_argdesc)[0]), GFP_KERNEL);
>> + if (unlikely(!seccomp_syscalls_argdesc)) {
>> + WARN_ON(1);
>> + return;
>> + }
>> + for (i = 0; i < NR_syscalls; i++) {
>> + addr = sys_call_table[i];
>> + argdesc = find_syscall_argdesc(__start_syscalls_argdesc,
>> + __stop_syscalls_argdesc, addr);
>> + if (!argdesc)
>> + continue;
>> +
>> + (*seccomp_syscalls_argdesc)[i] = *argdesc;
>> + }
>> +
>> +#ifdef CONFIG_COMPAT
>> + compat_seccomp_syscalls_argdesc = kcalloc(IA32_NR_syscalls,
>> + sizeof((*compat_seccomp_syscalls_argdesc)[0]),
>> + GFP_KERNEL);
>> + if (unlikely(!compat_seccomp_syscalls_argdesc)) {
>> + WARN_ON(1);
>> + return;
>> + }
>> + for (i = 0; i < IA32_NR_syscalls; i++) {
>> + addr = ia32_sys_call_table[i];
>> + argdesc = find_syscall_argdesc(__start_compat_syscalls_argdesc,
>> + __stop_compat_syscalls_argdesc, addr);
>> + if (!argdesc)
>> + continue;
>> +
>> + (*compat_seccomp_syscalls_argdesc)[i] = *argdesc;
>> + }
>> +#endif /* CONFIG_COMPAT */
>> +}
>> +
>> +void __init seccomp_init(void)
>> +{
>> + pr_info("seccomp: Becoming ready for sandboxing\n");
>> + init_argdesc();
>> +}
>
> This isn't using the LSM infrastructure at all, is it?
> It looks like the only reason you're calling it a security
> module is to get the initialization code called in
> security_init().
>
> Let me amend my previous comment, which was to change
> the name of seccomp_init(). Leave it as is, but add a
> comment before it that explains why you've put the
> call in the midst of the security module initialization.
The patch "[RFC v1 16/17] security/seccomp: Protect against filesystem TOCTOU" add LSM hooks, so it make sense to follow your first comment and rename seccomp_init() to seccomp_add_hooks().
Mickaël
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2016-03-24 21:31 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-24 1:46 [RFC v1 00/17] seccomp-object: From attack surface reduction to sandboxing Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 1:46 ` [RFC v1 01/17] um: Export the sys_call_table Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 1:46 ` [RFC v1 02/17] seccomp: Fix typo Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 1:46 ` [RFC v1 03/17] selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <1458784008-16277-4-git-send-email-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-03-24 4:35 ` Kees Cook
2016-03-24 4:35 ` [kernel-hardening] " Kees Cook
2016-03-29 15:35 ` Shuah Khan
2016-03-29 15:35 ` [kernel-hardening] " Shuah Khan
2016-03-29 18:46 ` [PATCH 1/2] " Mickaël Salaün
2016-03-29 18:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-29 19:06 ` Shuah Khan
2016-03-29 19:06 ` [kernel-hardening] " Shuah Khan
2016-03-24 1:46 ` [RFC v1 04/17] selftest/seccomp: Fix the seccomp(2) signature Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <1458784008-16277-5-git-send-email-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-03-24 4:36 ` Kees Cook
2016-03-24 4:36 ` [kernel-hardening] " Kees Cook
2016-03-29 15:38 ` Shuah Khan
2016-03-29 15:38 ` [kernel-hardening] " Shuah Khan
2016-03-29 18:51 ` [PATCH 2/2] " Mickaël Salaün
2016-03-29 18:51 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <1459277509-10666-1-git-send-email-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-03-29 19:07 ` Shuah Khan
2016-03-29 19:07 ` [kernel-hardening] " Shuah Khan
2016-03-24 1:46 ` [RFC v1 05/17] security/seccomp: Add LSM and create arrays of syscall metadata Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 15:47 ` Casey Schaufler
2016-03-24 15:47 ` [kernel-hardening] " Casey Schaufler
2016-03-24 16:01 ` Casey Schaufler
2016-03-24 16:01 ` [kernel-hardening] " Casey Schaufler
[not found] ` <56F40F3F.90708-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2016-03-24 21:31 ` Mickaël Salaün [this message]
2016-03-24 21:31 ` Mickaël Salaün
2016-03-24 1:46 ` [RFC v1 06/17] seccomp: Add the SECCOMP_ADD_CHECKER_GROUP command Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 1:46 ` [RFC v1 07/17] seccomp: Add seccomp object checker evaluation Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 1:46 ` [RFC v1 08/17] selftest/seccomp: Remove unknown_ret_is_kill_above_allow test Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] " Mickaël Salaün
2016-04-20 18:21 ` [RFC v1 00/17] seccomp-object: From attack surface reduction to sandboxing Mickaël Salaün
2016-04-20 18:21 ` [kernel-hardening] " Mickaël Salaün
2016-04-26 22:46 ` Kees Cook
2016-04-26 22:46 ` [kernel-hardening] " Kees Cook
[not found] ` <1458784008-16277-1-git-send-email-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-03-24 2:53 ` [RFC v1 09/17] selftest/seccomp: Extend seccomp_data until matches[6] Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:53 ` [RFC v1 11/17] selftest/seccomp: Add argeval_open_whitelist test Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <1458788042-26173-1-git-send-email-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-03-24 2:53 ` [RFC v1 10/17] selftest/seccomp: Add field_is_valid_syscall test Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:53 ` [RFC v1 12/17] audit,seccomp: Extend audit with seccomp state Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:53 ` [RFC v1 13/17] selftest/seccomp: Rename TRACE_poke to TRACE_poke_sys_read Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:53 ` [RFC v1 14/17] selftest/seccomp: Make tracer_poke() more generic Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:54 ` [RFC v1 15/17] selftest/seccomp: Add argeval_toctou_argument test Mickaël Salaün
2016-03-24 2:54 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:54 ` [RFC v1 16/17] security/seccomp: Protect against filesystem TOCTOU Mickaël Salaün
2016-03-24 2:54 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 2:54 ` [RFC v1 17/17] selftest/seccomp: Add argeval_toctou_filesystem test Mickaël Salaün
2016-03-24 2:54 ` [kernel-hardening] " Mickaël Salaün
2016-03-24 16:24 ` [RFC v1 00/17] seccomp-object: From attack surface reduction to sandboxing Kees Cook
2016-03-24 16:24 ` [kernel-hardening] " Kees Cook
[not found] ` <CAGXu5jLModth62F8PsFfNVCL=7PrAd+kT_NEsMP5WwOJvLS8EQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-27 5:03 ` Loganaden Velvindron
2016-03-27 5:03 ` Loganaden Velvindron
2016-04-28 2:36 ` Kees Cook
2016-04-28 2:36 ` [kernel-hardening] " Kees Cook
2016-04-28 23:45 ` Mickaël Salaün
2016-04-28 23:45 ` [kernel-hardening] " Mickaël Salaün
2016-05-21 12:58 ` Mickaël Salaün
2016-05-21 12:58 ` [kernel-hardening] " Mickaël Salaün
2016-05-02 22:19 ` James Morris
2016-05-02 22:19 ` [kernel-hardening] " James Morris
[not found] ` <CAGXu5jK1U12vMk11HD_x_gNz3Rk4ZgEfdThY7DHvm4e4sPRh4g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-05-21 15:19 ` Daniel Borkmann
2016-05-21 15:19 ` [kernel-hardening] " Daniel Borkmann
[not found] ` <57407C98.3090508-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-05-22 21:30 ` Mickaël Salaün
2016-05-22 21:30 ` [kernel-hardening] " Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F45CB0.6090706@digikod.net \
--to=mic-wfhqfpsgs3br7s880joybq@public.gmane.org \
--cc=agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=arnd-r2nGTMty4D4@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org \
--cc=drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=jdike-OPE4K8JWMJJBDgjK7y7TUQ@public.gmane.org \
--cc=jln-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org \
--cc=pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.