From: Dave Hansen <email@example.com> To: Jann Horn <firstname.lastname@example.org> Cc: email@example.com, Kees Cook <firstname.lastname@example.org>, Linux API <email@example.com>, Dave Hansen <firstname.lastname@example.org>, email@example.com, Andy Lutomirski <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org Subject: Re: [RFC PATCH] seccomp: Add protection keys into seccomp_data Date: Mon, 29 Oct 2018 10:29:18 -0700 Message-ID: <email@example.com> (raw) In-Reply-To: <CAG48ez1mY7Osdsc4iJ1JKq=C60wb9bQF=aHbi1fb=pb_V2XMJA@mail.gmail.com> On 10/29/18 9:48 AM, Jann Horn wrote: > On Mon, Oct 29, 2018 at 5:37 PM Dave Hansen <firstname.lastname@example.org> wrote: >> I'm not sure this is a great use for PKRU. I *think* the basic problem >> is that you want to communicate some rights information down into a >> filter, and you want to communicate it with PKRU. While it's handy to >> have an extra register that nobody (generally) mucks with, I'm not quite >> convinced that we want to repurpose it this way. > > That's not how I understand it; I believe that the context is probably > https://arxiv.org/pdf/1801.06822.pdf ? > My understanding is that PKRU is used for lightweight in-process > sandboxing, and to extend this sandbox protection to the syscall > interface, it is necessary to expose PKRU state to seccomp filters. > In other words, this isn't using PKRU exclusively for passing rights > into a filter, but it has to use PKRU anyway. PKRU gives information about rights to various bits of application data. From that, a seccomp filter can infer the context, and thus the ability for the code to call a given syscall at a certain point in time. This makes PKRU an opt-in part of the syscall ABI, which is pretty interesting. We _could_ do the same kind of thing with any callee-saved general purpose register, but PKRU is particularly attractive because there is only one instruction that writes to it (well, outside of XSAVE*), and random library code is very unlikely at this point to be using it. PKRU getting reset on signals, and the requirement now that it *can't* be changed if you make syscalls probably needs to get thought about very carefully before we do this, though.
next prev parent reply index Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-29 11:23 Michael Sammler 2018-10-29 16:25 ` Kees Cook 2018-10-29 16:37 ` Dave Hansen 2018-10-29 16:48 ` Jann Horn 2018-10-29 17:02 ` Michael Sammler 2018-10-29 17:07 ` Dave Hansen 2018-10-29 17:29 ` Dave Hansen [this message] 2018-10-29 21:55 ` Michael Sammler 2018-10-29 22:33 ` Dave Hansen 2018-10-30 10:55 ` Michael Sammler 2018-10-29 16:42 ` Jann Horn 2018-10-29 16:48 ` Ram Pai 2018-10-29 17:05 ` Michael Sammler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-api Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-api/0 linux-api/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-api linux-api/ https://lore.kernel.org/linux-api \ firstname.lastname@example.org public-inbox-index linux-api Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-api AGPL code for this site: git clone https://public-inbox.org/public-inbox.git