From: Al Viro <viro@zeniv.linux.org.uk>
To: Kees Cook <keescook@chromium.org>
Cc: ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] seccomp feature development
Date: Wed, 20 May 2020 19:16:05 +0100 [thread overview]
Message-ID: <20200520181605.GA23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <202005201104.72FED15776@keescook>
On Wed, May 20, 2020 at 11:05:58AM -0700, Kees Cook wrote:
> On Wed, May 20, 2020 at 05:31:02PM +0100, Al Viro wrote:
> > On Wed, May 20, 2020 at 09:17:41AM -0700, Kees Cook wrote:
> > > As recently outlined[1], there are are a number of seccomp topics that
> > > need discussion:
> > >
> > > - fd passing
> > > - deep argument inspection
> > > - changing structure sizes
> > > - syscall bitmasks
> > >
> > > Specifically, seccomp needs to grow the ability to inspect Extensible
> > > Argument syscalls, which requires that it inspect userspace memory
> > > without Time-of-Check/Time-of-Use races and without double-copying.
> > > Additionally, since the structures can grow and be nested, there needs
> > > to be a way to
> >
> > ... catch and kill the bullshit ABI "enhancements" that would attempt that
> > kind of garbage. I'm not sure why that is seccomp-related, though...
>
> We already have structs passed to syscalls that contain pointers to yet
> more structs. Do you mean those should be disallowed? (Personally, I
> would love that, but this doesn't seem to match the reality of the
> design considerations of those syscalls.)
We have no chance to kill the existing ones off, but we certainly can stop
accepting new ones. I would make an exception for struct iovec arrays
passed as an argument, provided that the data they refer to is opaque,
and while pselect6() kind of kludges are bloody revolting, they might
be inevitable in some cases - not without a very good explanation from
their authors, though, and "I wanna have 18 arguments; whaddya mean, don't?!"
is not one.
_______________________________________________
Ksummit-discuss mailing list
Ksummit-discuss@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss
next prev parent reply other threads:[~2020-05-20 18:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 16:17 [Ksummit-discuss] [TECH TOPIC] seccomp feature development Kees Cook
2020-05-20 16:31 ` Al Viro
2020-05-20 18:05 ` Kees Cook
2020-05-20 18:16 ` Al Viro [this message]
2020-05-20 18:27 ` Linus Torvalds
2020-05-20 19:04 ` Kees Cook
2020-05-20 19:08 ` Linus Torvalds
2020-05-20 20:24 ` Christian Brauner
2020-05-20 20:52 ` Kees Cook
2020-05-20 21:02 ` Christian Brauner
2020-05-22 4:06 ` Aleksa Sarai
2020-05-22 7:35 ` Christian Brauner
2020-05-22 11:27 ` Christian Brauner
2020-05-20 22:12 ` Alexei Starovoitov
2020-05-20 23:39 ` Kees Cook
2020-05-21 0:43 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200520181605.GA23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=keescook@chromium.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).