From: Kees Cook <keescook@chromium.org>
To: YiFei Zhu <yifeifz2@illinois.edu>
Cc: Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tycho Andersen <tycho@tycho.pizza>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Dimitrios Skarlatos <dskarlat@cs.cmu.edu>,
Valentin Rothberg <vrothber@redhat.com>,
Hubertus Franke <frankeh@us.ibm.com>,
Jack Chen <jianyan2@illinois.edu>,
Josep Torrellas <torrella@illinois.edu>,
Tianyin Xu <tyxu@illinois.edu>,
bpf@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 6/6] [DEBUG] seccomp: Report bitmap coverage ranges
Date: Wed, 23 Sep 2020 16:29:23 -0700 [thread overview]
Message-ID: <20200923232923.3142503-7-keescook@chromium.org> (raw)
In-Reply-To: <20200923232923.3142503-1-keescook@chromium.org>
This is what I've been using to explore actual bitmap results for
real-world filters...
Signed-off-by: Kees Cook <keescook@chromium.org>
---
kernel/seccomp.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 115 insertions(+)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 9921f6f39d12..1a0595d7f8ef 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -835,6 +835,85 @@ static void seccomp_update_bitmap(struct seccomp_filter *filter,
}
}
+static void __report_bitmap(const char *arch, u32 ret, int start, int finish)
+{
+ int gap;
+ char *name;
+
+ if (finish == -1)
+ return;
+
+ switch (ret) {
+ case UINT_MAX:
+ name = "filter";
+ break;
+ case SECCOMP_RET_ALLOW:
+ name = "SECCOMP_RET_ALLOW";
+ break;
+ case SECCOMP_RET_KILL_PROCESS:
+ name = "SECCOMP_RET_KILL_PROCESS";
+ break;
+ case SECCOMP_RET_KILL_THREAD:
+ name = "SECCOMP_RET_KILL_THREAD";
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ name = "unknown";
+ break;
+ }
+
+ gap = 0;
+ if (start < 100)
+ gap++;
+ if (start < 10)
+ gap++;
+ if (finish < 100)
+ gap++;
+ if (finish < 10)
+ gap++;
+
+ if (start == finish)
+ pr_info("%s %3d: %s\n", arch, start, name);
+ else if (start + 1 == finish)
+ pr_info("%s %*s%d,%d: %s\n", arch, gap, "", start, finish, name);
+ else
+ pr_info("%s %*s%d-%d: %s\n", arch, gap, "", start, finish, name);
+}
+
+static void report_bitmap(struct seccomp_bitmaps *bitmaps, const char *arch)
+{
+ u32 nr;
+ int start = 0, finish = -1;
+ u32 ret = UINT_MAX;
+ struct report_states {
+ unsigned long *bitmap;
+ u32 ret;
+ } states[] = {
+ { .bitmap = bitmaps->allow, .ret = SECCOMP_RET_ALLOW, },
+ { .bitmap = bitmaps->kill_process, .ret = SECCOMP_RET_KILL_PROCESS, },
+ { .bitmap = bitmaps->kill_thread, .ret = SECCOMP_RET_KILL_THREAD, },
+ { .bitmap = NULL, .ret = UINT_MAX, },
+ };
+
+ for (nr = 0; nr < NR_syscalls; nr++) {
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(states); i++) {
+ if (!states[i].bitmap || test_bit(nr, states[i].bitmap)) {
+ if (ret != states[i].ret) {
+ __report_bitmap(arch, ret, start, finish);
+ ret = states[i].ret;
+ start = nr;
+ }
+ finish = nr;
+ break;
+ }
+ }
+ }
+ if (start != nr)
+ __report_bitmap(arch, ret, start, finish);
+}
+
static void seccomp_update_bitmaps(struct seccomp_filter *filter,
void *pagepair)
{
@@ -849,6 +928,23 @@ static void seccomp_update_bitmaps(struct seccomp_filter *filter,
SECCOMP_MULTIPLEXED_SYSCALL_TABLE_MASK,
¤t->seccomp.multiplex);
#endif
+ if (strncmp(current->comm, "test-", 5) == 0 ||
+ strcmp(current->comm, "seccomp_bpf") == 0 ||
+ /*
+ * Why are systemd's process names head-truncated to 8 bytes
+ * and wrapped in parens!?
+ */
+ (current->comm[0] == '(' && strrchr(current->comm, ')') != NULL)) {
+ pr_info("reporting syscall bitmap usage for %d (%s):\n",
+ task_pid_nr(current), current->comm);
+ report_bitmap(¤t->seccomp.native, "native");
+#ifdef CONFIG_COMPAT
+ report_bitmap(¤t->seccomp.compat, "compat");
+#endif
+#ifdef SECCOMP_MULTIPLEXED_SYSCALL_TABLE_ARCH
+ report_bitmap(¤t->seccomp.multiplex, "multiplex");
+#endif
+ }
}
#else
static void seccomp_update_bitmaps(struct seccomp_filter *filter,
@@ -908,6 +1004,10 @@ static long seccomp_attach_filter(unsigned int flags,
filter->prev = current->seccomp.filter;
current->seccomp.filter = filter;
atomic_inc(¤t->seccomp.filter_count);
+ if (atomic_read(¤t->seccomp.filter_count) > 10)
+ pr_info("%d filters: %d (%s)\n",
+ atomic_read(¤t->seccomp.filter_count),
+ task_pid_nr(current), current->comm);
/* Evaluate filter for new known-outcome syscalls */
seccomp_update_bitmaps(filter, pagepair);
@@ -2419,6 +2519,21 @@ static int __init seccomp_sysctl_init(void)
pr_warn("sysctl registration failed\n");
else
kmemleak_not_leak(hdr);
+#ifndef SECCOMP_ARCH
+ pr_info("arch lacks support for constant action bitmaps\n");
+#else
+ pr_info("NR_syscalls: %d\n", NR_syscalls);
+ pr_info("arch: 0x%x\n", SECCOMP_ARCH);
+#ifdef CONFIG_COMPAT
+ pr_info("compat arch: 0x%x\n", SECCOMP_ARCH_COMPAT);
+#endif
+#ifdef SECCOMP_MULTIPLEXED_SYSCALL_TABLE_ARCH
+ pr_info("multiplex arch: 0x%x (mask: 0x%x)\n",
+ SECCOMP_MULTIPLEXED_SYSCALL_TABLE_ARCH,
+ SECCOMP_MULTIPLEXED_SYSCALL_TABLE_MASK);
+#endif
+#endif
+ pr_info("sizeof(struct seccomp_bitmaps): %zu\n", sizeof(struct seccomp_bitmaps));
return 0;
}
--
2.25.1
next prev parent reply other threads:[~2020-09-23 23:31 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-23 23:29 [PATCH v1 0/6] seccomp: Implement constant action bitmaps Kees Cook
2020-09-23 23:29 ` [PATCH 1/6] seccomp: Introduce SECCOMP_PIN_ARCHITECTURE Kees Cook
2020-09-24 0:41 ` Jann Horn
2020-09-24 7:11 ` Kees Cook
2020-09-23 23:29 ` [PATCH 2/6] x86: Enable seccomp architecture tracking Kees Cook
2020-09-24 0:45 ` Jann Horn
2020-09-24 7:12 ` Kees Cook
2020-09-23 23:29 ` [PATCH 3/6] seccomp: Implement constant action bitmaps Kees Cook
2020-09-24 0:25 ` Jann Horn
2020-09-24 7:36 ` Kees Cook
2020-09-24 8:07 ` YiFei Zhu
2020-09-24 8:15 ` Kees Cook
2020-09-24 8:22 ` YiFei Zhu
2020-09-24 12:28 ` Jann Horn
2020-09-24 12:37 ` David Laight
2020-09-24 12:56 ` Jann Horn
[not found] ` <DM6PR11MB271492D0565E91475D949F5DEF390@DM6PR11MB2714.namprd11.prod.outlook.com>
2020-09-24 0:36 ` YiFei Zhu
2020-09-24 7:38 ` Kees Cook
2020-09-24 7:51 ` YiFei Zhu
2020-09-23 23:29 ` [PATCH 4/6] seccomp: Emulate basic filters for constant action results Kees Cook
2020-09-23 23:47 ` Jann Horn
2020-09-24 7:46 ` Kees Cook
2020-09-24 15:28 ` Paul Moore
2020-09-24 19:52 ` Kees Cook
2020-09-24 20:46 ` Paul Moore
2020-09-24 21:35 ` Kees Cook
2020-09-23 23:29 ` [PATCH 5/6] selftests/seccomp: Compare bitmap vs filter overhead Kees Cook
2020-09-23 23:29 ` Kees Cook [this message]
2020-09-24 13:40 ` [PATCH v1 0/6] seccomp: Implement constant action bitmaps Rasmus Villemoes
2020-09-24 13:58 ` YiFei Zhu
2020-09-25 5:56 ` Rasmus Villemoes
2020-09-25 7:07 ` YiFei Zhu
2020-09-26 18:11 ` YiFei Zhu
2020-09-28 20:04 ` Kees Cook
2020-09-28 20:16 ` YiFei Zhu
2020-09-24 14:05 ` Jann Horn
2020-09-24 18:57 ` Andrea Arcangeli
2020-09-24 19:18 ` Jann Horn
[not found] ` <9dbe8e3bbdad43a1872202ff38c34ca2@DM5PR11MB1692.namprd11.prod.outlook.com>
2020-09-24 19:48 ` Tianyin Xu
2020-09-24 20:00 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200923232923.3142503-7-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=aarcange@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=dskarlat@cs.cmu.edu \
--cc=frankeh@us.ibm.com \
--cc=gscrivan@redhat.com \
--cc=jannh@google.com \
--cc=jianyan2@illinois.edu \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=tobin@ibm.com \
--cc=torrella@illinois.edu \
--cc=tycho@tycho.pizza \
--cc=tyxu@illinois.edu \
--cc=vrothber@redhat.com \
--cc=wad@chromium.org \
--cc=yifeifz2@illinois.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).