From: Victor Kamensky <kamensky@cisco.com>
To: Seebs <seebs@seebs.net>
Cc: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>,
OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: pseudo: host user contamination
Date: Sat, 24 Mar 2018 13:12:54 -0700 (PDT) [thread overview]
Message-ID: <alpine.LRH.2.00.1803241306460.40806@sjc-ads-6991.cisco.com> (raw)
In-Reply-To: <20180324145044.168f7e3f@seebsdell>
Here is another crazy idea how to deal with it, just
brainstorming what options are on the table: disable
renameat2 with help of seccomp and force coreutils to
use other calls. Something along the lines that were
suggested with intercept of syscall function call, but
let kernel to do interception work.
Here is tiny example based on my todays learning or
seccomp and eBPF, it shows how on my FC27 filtering out
renameat2 forces coreutils mv do use other calls to do the job.
[kamensky@coreos-lnx2 bpf]$ cat filterout_renameat2.c
#include <stddef.h>
#include <linux/unistd.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <sys/prctl.h>
#include <errno.h>
#define syscall_nr (offsetof(struct seccomp_data, nr))
struct sock_filter filterout_renameat2[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_renameat2, 0, 1),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO + ENOSYS),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
};
struct sock_fprog filterout_renameat2_prog = {
.len = (unsigned short)(sizeof(filterout_renameat2) /
sizeof(filterout_renameat2[0])),
.filter = filterout_renameat2,
};
int disable_renameat2_syscall (void)
{
int err;
err = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
if (!err) {
err = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
&filterout_renameat2_prog);
}
return err;
}
[kamensky@coreos-lnx2 bpf]$ cat norenameat2.c
#include <unistd.h>
#include <stdio.h>
int disable_renameat2_syscall (void);
int main(int argc, char **argv)
{
int err = 0;
err = disable_renameat2_syscall();
if(err) {
perror("disable_renameat2_syscall");
}
execvp (argv[1], &argv[1]);
return 0;
}
[kamensky@coreos-lnx2 bpf]$ gcc -o norenameat2 norenameat2.c filterout_renameat2.c
[kamensky@coreos-lnx2 bpf]$ mkdir foo
[kamensky@coreos-lnx2 bpf]$ strace -o ./trace.mv.txt -f mv foo bar
[kamensky@coreos-lnx2 bpf]$ grep rename ./trace.mv.txt
2218 renameat2(AT_FDCWD, "foo", AT_FDCWD, "bar", 0) = 0
[kamensky@coreos-lnx2 bpf]$ rm -r -f bar
[kamensky@coreos-lnx2 bpf]$ mkdir foo
[kamensky@coreos-lnx2 bpf]$ strace -o ./trace.norenameat2.mv.txt -f ./norenameat2 mv foo bar
[kamensky@coreos-lnx2 bpf]$ grep rename ./trace.norenameat2.mv.txt
2228 execve("./norenameat2", ["./norenameat2", "mv", "foo", "bar"], 0x7ffd16d930e0 /* 37 vars */) = 0
2228 renameat2(AT_FDCWD, "foo", AT_FDCWD, "bar", 0) = -1 ENOSYS (Function not implemented)
2228 renameat(AT_FDCWD, "foo", AT_FDCWD, "bar") = 0
[kamensky@coreos-lnx2 bpf]$
Thanks,
Victor
On Sat, 24 Mar 2018, Seebs wrote:
> On Sat, 24 Mar 2018 12:42:45 -0700
> Andre McCurdy <armccurdy@gmail.com> wrote:
>
>> Right. The musl example is to show how it's possible to transparently
>> intercept and pass on any call to the syscall() ABI without
>> interpreting anything.
>
> Yes, if you don't need to interpret things, and aren't making
> additional other unrelated system calls after doing so.
>
>> Those details are all taken care of within the libc implementation of
>> syscall(). It's not something we need to care about at all in a
>> wrapper for it.
>
> I don't think that's correct.
>
> musl's call sequence:
> real_syscall() // sets a3
> return
>
> pseudo's call sequence:
> various_setup()
> real_syscall() // sets a3
> other system calls // also set a3
> return
>
> In the case where pseudo is actually *disabled*, we just return
> right away after the real call. In every other case, we're making
> other calls some of which imply system calls, and those system calls
> could potentially overwrite things that the libc implementation of
> syscall took care of. (Mutex and signal mask operations.)
>
> So for that to work, I would in principle have to stash the value
> stored in, for instance, "a3", wait until after the other system calls,
> and then restore it. Unless *only* syscall() itself actually sets
> that register, and other system calls don't, and nothing else is
> using it either.
>
> -s
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
next prev parent reply other threads:[~2018-03-24 20:12 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-23 15:33 pseudo: host user contamination Enrico Scholz
2018-03-23 15:43 ` Enrico Scholz
2018-03-23 16:05 ` Burton, Ross
2018-03-23 16:10 ` Enrico Scholz
2018-03-23 16:17 ` Burton, Ross
2018-03-23 16:28 ` Seebs
2018-03-23 16:30 ` Burton, Ross
2018-03-23 16:49 ` Seebs
2018-03-23 16:56 ` Burton, Ross
2018-03-23 17:23 ` Seebs
2018-03-23 23:47 ` Richard Purdie
2018-03-23 23:56 ` Seebs
2018-03-24 0:22 ` Enrico Scholz
2018-03-24 0:33 ` Andre McCurdy
2018-03-24 0:36 ` Seebs
2018-03-24 1:10 ` Andre McCurdy
2018-03-24 1:17 ` Seebs
2018-03-24 1:43 ` Andre McCurdy
2018-03-24 2:44 ` Seebs
2018-03-24 12:36 ` Richard Purdie
2018-03-24 15:12 ` Seebs
2018-03-24 17:10 ` Burton, Ross
2018-03-24 17:23 ` Seebs
2018-03-24 18:12 ` Andre McCurdy
2018-03-24 18:22 ` Seebs
2018-03-24 18:59 ` Andre McCurdy
2018-03-24 19:24 ` Seebs
2018-03-24 19:42 ` Andre McCurdy
2018-03-24 19:50 ` Seebs
2018-03-24 20:12 ` Victor Kamensky [this message]
2018-03-24 23:04 ` Burton, Ross
2018-03-25 0:09 ` Victor Kamensky
2018-03-25 2:43 ` Andre McCurdy
2018-03-25 5:37 ` Victor Kamensky
2018-03-25 7:05 ` Andre McCurdy
2018-03-26 18:49 ` Andreas Müller
2018-03-26 19:31 ` Seebs
2018-03-26 20:12 ` Andre McCurdy
2018-03-26 21:07 ` Seebs
2018-03-27 1:10 ` Andre McCurdy
2018-03-27 1:32 ` Seebs
2018-03-27 1:34 ` Andre McCurdy
2018-03-27 2:07 ` Seebs
2018-03-27 2:59 ` Andre McCurdy
2018-03-27 4:41 ` Seebs
2018-03-27 19:11 ` Andre McCurdy
2018-03-27 19:22 ` Seebs
2018-03-27 20:12 ` Andre McCurdy
2018-03-27 20:20 ` Seebs
2018-03-27 20:52 ` Andre McCurdy
2018-03-27 21:10 ` Seebs
2018-03-29 12:04 ` Enrico Scholz
2018-03-29 14:06 ` Seebs
2018-03-27 13:06 ` Enrico Scholz
2018-03-27 15:50 ` Seebs
2018-03-27 16:26 ` Enrico Scholz
2018-03-27 16:46 ` Seebs
2018-03-24 20:22 ` Joshua Watt
2018-03-24 21:01 ` Seebs
2018-03-24 20:27 ` Andre McCurdy
2018-03-27 14:42 ` Enrico Scholz
2018-03-27 15:55 ` Seebs
2018-03-27 16:35 ` Enrico Scholz
2018-03-27 16:40 ` Seebs
2018-03-27 19:20 ` Enrico Scholz
2018-03-27 19:24 ` Seebs
2018-03-27 20:06 ` Enrico Scholz
2018-03-23 16:06 ` Burton, Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.00.1803241306460.40806@sjc-ads-6991.cisco.com \
--to=kamensky@cisco.com \
--cc=enrico.scholz@sigma-chemnitz.de \
--cc=openembedded-core@lists.openembedded.org \
--cc=seebs@seebs.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.