bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Thomas Weißschuh" <linux@weissschuh.net>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com, bpf@vger.kernel.org
Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters
Date: Mon, 28 Jun 2021 19:58:52 +0200	[thread overview]
Message-ID: <efb74f33-6876-48ec-bb9c-87b2247bdedb@t-8ch.de> (raw)
In-Reply-To: <CAHC9VhSrki+=724CSQbDdiiMnM8oXTmFP-XFnOmq28c03x1RQQ@mail.gmail.com>

Hi again!

On Mo, 2021-06-28T13:34-0400, Paul Moore wrote:
> On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote:
> > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote:
> > > >
> > > > Hi everyone,
> > > >
> > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches
> > > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers.
> > >
> > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in
> > > include/uapi/linux/audit.h; looking on my system right now I see the
> > > defines in /usr/include/linux/audit.h.  What kernel repository and
> > > distribution are you using?
> >
> > I am using ArchLinux and also have all these defines.
> >
> > > > Questions:
> > > >
> > > > Is it really necessary to validate the arch value when syscall numbers are
> > > > already target-specific?
> > > > (If not, should this be added to the docs?)
> > >
> > > Checking the arch/ABI value is important so that you can ensure that
> > > you are using the syscall number in the proper context.  For example,
> > > look at the access(2) syscall: it is undefined on some ABIs and can
> > > take either a value of 20, 21, or 33 depending on the arch/ABI.
> > > Unfortunately this is rather common.
> >
> > But when if I am not hardcoding the syscall numbers but use the
> > __NR_access kernel define then I should always get the correct number for the
> > ABI I am compiling for (or an error if the syscall does not exist), no?
> 
> Remember that seccomp filters are inherited across forks, so if your
> application loads an ABI specific filter and then fork()/exec()'s an
> application with a different ABI you could be in trouble.  We saw this
> some years ago when people started running containers with ABIs other
> than the native system; if the container orchestrator didn't load a
> filter that knew about these non-native ABIs Bad Things happened.

My application will not be able to spawn any new processes.
It is limited to write() and exit().
Also this is a low-level system application so it should always be compiled for
the native ABI.
So this should not be an issue.

> I'm sure you are already aware of libseccomp, but if not you may want
> to consider it for your application.  Not only does it provide a safe
> and easy way to handle multiple ABIs in a single filter, it handles
> other seccomp problem areas like build/runtime system differences in
> the syscall tables/defines as well as the oddball nature of
> direct-call and multiplexed socket related syscalls, i.e. socketcall()
> vs socket(), etc.

For a larger application this would be indeed my choice.
But for a small application like mine I don't think it is worth it.
libseccomp for example does provide a way to get the native audit arch:
`uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on
various compiler defines to detect the ABI compiled for.

I'd like the kernel to provide this out-of-the box, so I don't have to have the
same ifdefs in my application(s) and keep them up to date.

I found that the kernel internally already has a definition for my usecase:
SECCOMP_ARCH_NATIVE.
It is just not exported to userspace.

> > > Checking the arch/ABI value is also handy if you want to quickly
> > > disallow certain ABIs on a system that supports multiple ABI, e.g.
> > > disabling 32-bit x86 on a 64-bit x86_64 system.
> > >
> > > > Would it make sense to expose the audit arch matching the syscall numbers in
> > > > the uapi headers?
> > >
> > > Yes, which is why the existing headers do so ;)  If you don't see the
> > > header files I mentioned above, it may be worth checking your kernel
> > > source repository and your distribution's installed kernel header
> > > files.
> >
> > I do see constants for all the possible ABIs but not one constant that always
> > represents the one I am currently compiling for.
> > The same way the syscall number defines always give me the syscall number for
> > the currently targeted ABI.
> 
> I'm sorry, but I don't quite understand what you are looking for in
> the header files ... ?  It might help if you could provide a concrete
> example of what you would like to see in the header files?

I want to do something like the follwing inside my program to assemble a
seccomp filter that will be loaded before the error-prone parts of the
application will begin.

1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch),
2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL)
3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr),
4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL),

In line 4 I can already have the kernel headers provide me the correct syscall
number for the ABI my application is compiled for.

For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of
having a kernel header provide the correct value.

Thomas

  reply	other threads:[~2021-06-28 17:59 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-28  7:31 Thomas Weißschuh
2021-06-28 16:59 ` Paul Moore
2021-06-28 17:13   ` Thomas Weißschuh
2021-06-28 17:34     ` Paul Moore
2021-06-28 17:58       ` Thomas Weißschuh [this message]
2021-06-28 22:43         ` Paul Moore
2021-06-29 10:40           ` Thomas Weißschuh
2021-06-29 23:41             ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=efb74f33-6876-48ec-bb9c-87b2247bdedb@t-8ch.de \
    --to=linux@weissschuh.net \
    --cc=bpf@vger.kernel.org \
    --cc=linux-audit@redhat.com \
    --cc=paul@paul-moore.com \
    --subject='Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).