From: "Thomas Weißschuh" <email@example.com>
To: Paul Moore <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org
Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters
Date: Tue, 29 Jun 2021 12:40:55 +0200 [thread overview]
Message-ID: <email@example.com> (raw)
On Mo, 2021-06-28T18:43-0400, Paul Moore wrote:
> On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <firstname.lastname@example.org> wrote:
> > Hi again!
> !!! :)
> > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote:
> > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <email@example.com> wrote:
> > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <firstname.lastname@example.org> wrote:
> > > Remember that seccomp filters are inherited across forks, so if your
> > > application loads an ABI specific filter and then fork()/exec()'s an
> > > application with a different ABI you could be in trouble. We saw this
> > > some years ago when people started running containers with ABIs other
> > > than the native system; if the container orchestrator didn't load a
> > > filter that knew about these non-native ABIs Bad Things happened.
> > My application will not be able to spawn any new processes.
> > It is limited to write() and exit().
> > Also this is a low-level system application so it should always be compiled for
> > the native ABI.
> > So this should not be an issue.
> > > I'm sure you are already aware of libseccomp, but if not you may want
> > > to consider it for your application. Not only does it provide a safe
> > > and easy way to handle multiple ABIs in a single filter, it handles
> > > other seccomp problem areas like build/runtime system differences in
> > > the syscall tables/defines as well as the oddball nature of
> > > direct-call and multiplexed socket related syscalls, i.e. socketcall()
> > > vs socket(), etc.
> > For a larger application this would be indeed my choice.
> > But for a small application like mine I don't think it is worth it.
> > libseccomp for example does provide a way to get the native audit arch:
> > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on
> > various compiler defines to detect the ABI compiled for.
> > I'd like the kernel to provide this out-of-the box, so I don't have to have the
> > same ifdefs in my application(s) and keep them up to date.
> > I found that the kernel internally already has a definition for my usecase:
> > SECCOMP_ARCH_NATIVE.
> > It is just not exported to userspace.
> I'm not sure that keeping the ifdefs up to date is going to be that
> hard, and honestly that is the right place to do it IMHO. The kernel
> can support any number of ABIs, but in the narrow use case you are
> describing in this thread you only care about the ABI of your own
> application; it doesn't sound like you really care about the kernel's
> ABI, but rather your application's ABI.
Ok, fair enough.
My goal was to keep the amount of support code in my application small.
Out of 250 lines of code
100 are actual business logic,
50 are the current seccomp code
and the ifdefs would be another 50 (looking at those in libseccomp).
Having a #define provided by the kernel headers, which already cares about
my application ABI when providing the syscall numbers, would have sidestepped
all clutter and maintenance issues neatly.
I'll add my own logic then.
To get back to my other question:
Is there any chance a single given process can have multiple different ABIs
active at the same time?
Without using special syscalls to switch between them.
Because if that is not possible I can skip the checks for the arch completely
because the filter is constructed at compile time for the specific ABI
targetted and all funky syscalls are forbidden anyways.
> > > I'm sorry, but I don't quite understand what you are looking for in
> > > the header files ... ? It might help if you could provide a concrete
> > > example of what you would like to see in the header files?
> > I want to do something like the follwing inside my program to assemble a
> > seccomp filter that will be loaded before the error-prone parts of the
> > application will begin.
> > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch),
> > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL)
> > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr),
> > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL),
> > In line 4 I can already have the kernel headers provide me the correct syscall
> > number for the ABI my application is compiled for.
> > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of
> > having a kernel header provide the correct value.
PS: I know that this seems to be a lot of discussion for fairly little gain in
this specific case, but I'd like to use seccomp filters in the future more and
am trying to find the most unobtrusive way to add them to applications for each
(For any larger applications that will certainly include libseccomp, but that
feels overkill for very specific, zero-runtime-dependency utilities)
next prev parent reply other threads:[~2021-06-29 10:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 7:31 AUDIT_ARCH_ and __NR_syscall constants for seccomp filters Thomas Weißschuh
2021-06-28 16:59 ` Paul Moore
2021-06-28 17:13 ` Thomas Weißschuh
2021-06-28 17:34 ` Paul Moore
2021-06-28 17:58 ` Thomas Weißschuh
2021-06-28 22:43 ` Paul Moore
2021-06-29 10:40 ` Thomas Weißschuh [this message]
2021-06-29 23:41 ` Paul Moore
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).