linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andy Lutomirski <luto@kernel.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Chris Metcalf <cmetcalf@mellanox.com>,
	Heiko Carstens <heiko.carstens@de.ibm.com>,
	Helge Deller <deller@gmx.de>,
	"James E.J. Bottomley" <jejb@parisc-linux.org>,
	James Hogan <james.hogan@imgtec.com>,
	Jeff Dike <jdike@addtoit.com>,
	linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
	linux-mips@linux-mips.org, linux-parisc@vger.kernel.org,
	linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
	"Maciej W. Rozycki" <macro@imgtec.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Michael Ellerman <mpe@ellerman.id.au>,
	Paul Mackerras <paulus@samba.org>,
	Ralf Baechle <ralf@linux-mips.org>,
	Richard Weinberger <richard@nod.at>,
	Russell King <linux@armlinux.org.uk>,
	user-mode-linux-devel@lists.sourceforge.net,
	Will Deacon <will.deacon@arm.com>,
	x86@kernel.org
Subject: [PATCH 00/14] run seccomp after ptrace
Date: Thu,  9 Jun 2016 14:01:50 -0700	[thread overview]
Message-ID: <1465506124-21866-1-git-send-email-keescook@chromium.org> (raw)

There has been a long-standing (and documented) issue with seccomp
where ptrace can be used to change a syscall out from under seccomp.
This is a problem for containers and other wider seccomp filtered
environments where ptrace needs to remain available, as it allows
for an escape of the seccomp filter.

Since the ptrace attack surface is available for any allowed syscall,
moving seccomp after ptrace doesn't increase the actually available
attack surface. And this actually improves tracing since, for
example, tracers will be notified of syscall entry before seccomp
sends a SIGSYS, which makes debugging filters much easier.

The per-architecture changes do make one (hopefully small)
semantic change, which is that since ptrace comes first, it may
request a syscall be skipped. Running seccomp after this doesn't
make sense, so if ptrace wants to skip a syscall, it will bail
out early similarly to how seccomp was. This means that skipped
syscalls will not be fed through audit, though that likely means
we're actually avoiding noise this way.

This series first cleans up seccomp to remove the now unneeded
two-phase entry, fixes the SECCOMP_RET_TRACE hole (same as the
ptrace hole above), and then reorders seccomp after ptrace on
each architecture.

Thanks,

-Kees

             reply	other threads:[~2016-06-09 21:02 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-09 21:01 Kees Cook [this message]
2016-06-09 21:01 ` [PATCH 01/14] seccomp: add tests for ptrace hole Kees Cook
2016-06-09 21:01 ` [PATCH 02/14] seccomp: Add a seccomp_data parameter secure_computing() Kees Cook
2016-06-09 21:01 ` [PATCH 03/14] x86/entry: Get rid of two-phase syscall entry work Kees Cook
2016-06-09 21:01 ` [PATCH 04/14] seccomp: remove 2-phase API Kees Cook
2016-06-09 21:01 ` [PATCH 05/14] seccomp: recheck the syscall after RET_TRACE Kees Cook
2016-06-09 22:46   ` Andy Lutomirski
2016-06-09 21:01 ` [PATCH 06/14] x86/ptrace: run seccomp after ptrace Kees Cook
2016-06-09 22:52   ` Andy Lutomirski
2016-06-10  2:01     ` Kees Cook
2016-06-14  2:27     ` Andy Lutomirski
2016-06-09 21:01 ` [PATCH 07/14] arm/ptrace: " Kees Cook
2016-06-09 21:01 ` [PATCH 08/14] arm64/ptrace: " Kees Cook
2016-06-09 21:01 ` [PATCH 09/14] MIPS/ptrace: " Kees Cook
2016-06-09 21:02 ` [PATCH 10/14] parisc/ptrace: " Kees Cook
2016-06-09 21:02 ` [PATCH 11/14] s390/ptrace: " Kees Cook
2016-06-10 10:51   ` Martin Schwidefsky
2016-06-09 21:02 ` [PATCH 12/14] powerpc/ptrace: " Kees Cook
2016-06-09 21:02 ` [PATCH 13/14] tile/ptrace: " Kees Cook
2016-06-09 21:02 ` [PATCH 14/14] um/ptrace: " Kees Cook
2016-06-13 20:50 ` [PATCH 00/14] " Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1465506124-21866-1-git-send-email-keescook@chromium.org \
    --to=keescook@chromium.org \
    --cc=benh@kernel.crashing.org \
    --cc=catalin.marinas@arm.com \
    --cc=cmetcalf@mellanox.com \
    --cc=deller@gmx.de \
    --cc=heiko.carstens@de.ibm.com \
    --cc=james.hogan@imgtec.com \
    --cc=jdike@addtoit.com \
    --cc=jejb@parisc-linux.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mips@linux-mips.org \
    --cc=linux-parisc@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=luto@kernel.org \
    --cc=macro@imgtec.com \
    --cc=mark.rutland@arm.com \
    --cc=mpe@ellerman.id.au \
    --cc=paulus@samba.org \
    --cc=ralf@linux-mips.org \
    --cc=richard@nod.at \
    --cc=schwidefsky@de.ibm.com \
    --cc=user-mode-linux-devel@lists.sourceforge.net \
    --cc=will.deacon@arm.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).