From: Andy Lutomirski <luto@amacapital.net>
To: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
Tycho Andersen <tycho.andersen@canonical.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>,
Roland McGrath <roland@hack.frob.com>,
Pavel Emelyanov <xemul@parallels.com>
Subject: Re: [PATCH v4] seccomp: add ptrace options for suspend/resume
Date: Wed, 10 Jun 2015 10:42:01 -0700 [thread overview]
Message-ID: <CALCETrWYc2ZqGWzrNQMHdwQ-_sAy8AhkMdJWABEpwMP2qbSO8A@mail.gmail.com> (raw)
In-Reply-To: <20150610172931.GD4069@ubuntumail>
On Wed, Jun 10, 2015 at 10:29 AM, Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
> Quoting Andy Lutomirski (luto@amacapital.net):
>> On Wed, Jun 10, 2015 at 9:31 AM, Oleg Nesterov <oleg@redhat.com> wrote:
>> > On 06/09, Andy Lutomirski wrote:
>> >>
>> >> On Tue, Jun 9, 2015 at 5:49 PM, Tycho Andersen
>> >> >
>> >> > @@ -556,6 +556,15 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
>> >> > if (data & ~(unsigned long)PTRACE_O_MASK)
>> >> > return -EINVAL;
>> >> >
>> >> > + if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
>> >
>> > Well, we should do this if
>> >
>> > (data & O_SUSPEND) && !(flags & O_SUSPEND)
>> >
>> > or at least if
>> >
>> > (data ^ flags) & O_SUSPEND
>> >
>> >
>> >> > + if (!config_enabled(CONFIG_CHECKPOINT_RESTORE) ||
>> >> > + !config_enabled(CONFIG_SECCOMP))
>> >> > + return -EINVAL;
>> >> > +
>> >> > + if (!capable(CAP_SYS_ADMIN))
>> >> > + return -EPERM;
>> >>
>> >> I tend to think that we should also require that current not be using
>> >> seccomp. Otherwise, in principle, there's a seccomp bypass for
>> >> privileged-but-seccomped programs.
>> >
>> > Andy, I simply can't understand why do we need any security check at all.
>> >
>> > OK, yes, in theory we can have a seccomped CAP_SYS_ADMIN process, seccomp
>> > doesn't filter ptrace, you hack that process and force it to attach to
>> > another CAP_SYS_ADMIN/seccomped process, etc, etc... Looks too paranoid
>> > to me.
>>
>> I've sometimes considered having privileged processes I write fork and
>> seccomp their child. Of course, if you're allowing ptrace through
>> your seccomp filter, you open a giant can of worms, but I think we
>> should take the more paranoid approach to start and relax it later as
>
> I really do intend to look at your old proposed tree for improving that...
> have only done a once-over so far, though.
Don't read it yet. It's unnecessarily complicated due to the mess
that is x86's entry code, and I want to clean up the entry code first.
--Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
To: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Tycho Andersen
<tycho.andersen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Will Drewry <wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Roland McGrath <roland-/Z5OmTQCD9xF6kxbq+BtvQ@public.gmane.org>,
Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
Subject: Re: [PATCH v4] seccomp: add ptrace options for suspend/resume
Date: Wed, 10 Jun 2015 10:42:01 -0700 [thread overview]
Message-ID: <CALCETrWYc2ZqGWzrNQMHdwQ-_sAy8AhkMdJWABEpwMP2qbSO8A@mail.gmail.com> (raw)
In-Reply-To: <20150610172931.GD4069@ubuntumail>
On Wed, Jun 10, 2015 at 10:29 AM, Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> wrote:
> Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org):
>> On Wed, Jun 10, 2015 at 9:31 AM, Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>> > On 06/09, Andy Lutomirski wrote:
>> >>
>> >> On Tue, Jun 9, 2015 at 5:49 PM, Tycho Andersen
>> >> >
>> >> > @@ -556,6 +556,15 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
>> >> > if (data & ~(unsigned long)PTRACE_O_MASK)
>> >> > return -EINVAL;
>> >> >
>> >> > + if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
>> >
>> > Well, we should do this if
>> >
>> > (data & O_SUSPEND) && !(flags & O_SUSPEND)
>> >
>> > or at least if
>> >
>> > (data ^ flags) & O_SUSPEND
>> >
>> >
>> >> > + if (!config_enabled(CONFIG_CHECKPOINT_RESTORE) ||
>> >> > + !config_enabled(CONFIG_SECCOMP))
>> >> > + return -EINVAL;
>> >> > +
>> >> > + if (!capable(CAP_SYS_ADMIN))
>> >> > + return -EPERM;
>> >>
>> >> I tend to think that we should also require that current not be using
>> >> seccomp. Otherwise, in principle, there's a seccomp bypass for
>> >> privileged-but-seccomped programs.
>> >
>> > Andy, I simply can't understand why do we need any security check at all.
>> >
>> > OK, yes, in theory we can have a seccomped CAP_SYS_ADMIN process, seccomp
>> > doesn't filter ptrace, you hack that process and force it to attach to
>> > another CAP_SYS_ADMIN/seccomped process, etc, etc... Looks too paranoid
>> > to me.
>>
>> I've sometimes considered having privileged processes I write fork and
>> seccomp their child. Of course, if you're allowing ptrace through
>> your seccomp filter, you open a giant can of worms, but I think we
>> should take the more paranoid approach to start and relax it later as
>
> I really do intend to look at your old proposed tree for improving that...
> have only done a once-over so far, though.
Don't read it yet. It's unnecessarily complicated due to the mess
that is x86's entry code, and I want to clean up the entry code first.
--Andy
next prev parent reply other threads:[~2015-06-10 17:42 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-10 0:49 [PATCH v4] seccomp: add ptrace options for suspend/resume Tycho Andersen
2015-06-10 0:49 ` Tycho Andersen
2015-06-10 1:08 ` Andy Lutomirski
2015-06-10 1:08 ` Andy Lutomirski
2015-06-10 15:19 ` Tycho Andersen
2015-06-10 15:19 ` Tycho Andersen
2015-06-10 16:31 ` Oleg Nesterov
2015-06-10 17:20 ` Andy Lutomirski
2015-06-10 17:20 ` Andy Lutomirski
2015-06-10 17:29 ` Serge Hallyn
2015-06-10 17:29 ` Serge Hallyn
2015-06-10 17:42 ` Andy Lutomirski [this message]
2015-06-10 17:42 ` Andy Lutomirski
2015-06-10 19:20 ` Oleg Nesterov
2015-06-10 19:20 ` Oleg Nesterov
2015-06-10 20:18 ` Kees Cook
2015-06-10 20:18 ` Kees Cook
2015-06-10 20:26 ` Oleg Nesterov
2015-06-10 20:26 ` Oleg Nesterov
2015-06-12 23:27 ` Andy Lutomirski
2015-06-12 23:27 ` Andy Lutomirski
2015-06-12 23:29 ` Kees Cook
2015-06-12 23:29 ` Kees Cook
2015-06-13 15:06 ` Tycho Andersen
2015-06-13 15:06 ` Tycho Andersen
2015-06-10 20:33 ` Kees Cook
2015-06-10 20:33 ` Kees Cook
2015-06-10 20:57 ` Tycho Andersen
2015-06-10 20:57 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrWYc2ZqGWzrNQMHdwQ-_sAy8AhkMdJWABEpwMP2qbSO8A@mail.gmail.com \
--to=luto@amacapital.net \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=roland@hack.frob.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tycho.andersen@canonical.com \
--cc=wad@chromium.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.