From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932386AbbFDRPH (ORCPT ); Thu, 4 Jun 2015 13:15:07 -0400 Received: from mail-ig0-f178.google.com ([209.85.213.178]:36449 "EHLO mail-ig0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753706AbbFDRPE (ORCPT ); Thu, 4 Jun 2015 13:15:04 -0400 Date: Thu, 4 Jun 2015 11:15:01 -0600 From: Tycho Andersen To: Kees Cook Cc: LKML , Linux API , Andy Lutomirski , Will Drewry , Roland McGrath , Oleg Nesterov , Pavel Emelyanov , "Serge E. Hallyn" Subject: Re: [PATCH v2] seccomp: add ptrace options for suspend/resume Message-ID: <20150604171501.GI3160@smitten> References: <1433369396-13360-1-git-send-email-tycho.andersen@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 04, 2015 at 09:44:36AM -0700, Kees Cook wrote: > On Wed, Jun 3, 2015 at 3:09 PM, Tycho Andersen > wrote: > > This patch is the first step in enabling checkpoint/restore of processes > > with seccomp enabled. > > > > One of the things CRIU does while dumping tasks is inject code into them > > via ptrace to collect information that is only available to the process > > itself. However, if we are in a seccomp mode where these processes are > > prohibited from making these syscalls, then what CRIU does kills the task. > > > > This patch adds a new ptrace option, PTRACE_O_SUSPEND_SECCOMP, that enables > > a task from the init user namespace which has CAP_SYS_ADMIN and no seccomp > > filters to disable (and re-enable) seccomp filters for another task so that > > they can be successfully dumped (and restored). We restrict the set of > > processes that can disable seccomp through ptrace because although today > > ptrace can be used to bypass seccomp, there is some discussion of closing > > this loophole in the future and we would like this patch to not depend on > > that behavior and be future proofed for when it is removed. > > > > Note that seccomp can be suspended before any filters are actually > > installed; this behavior is useful on criu restore, so that we can suspend > > seccomp, restore the filters, unmap our restore code from the restored > > process' address space, and then resume the task by detaching and have the > > filters resumed as well. > > > > v2 changes: > > > > * require that the tracer have no seccomp filters installed > > * drop TIF_NOTSC manipulation from the patch > > * change from ptrace command to a ptrace option and use this ptrace option > > as the flag to check. This means that as soon as the tracer > > detaches/dies, seccomp is re-enabled and as a corrollary that one can not > > disable seccomp across PTRACE_ATTACHs. > > This feature gives me the creeps, but I think it's okay. :D > Could it be > further restricted so that the process doing the suspension is already > ptracing the target? As far as I understand it you do have to PTRACE_{ATTACH,SEIZE} to the target before setting options in general. Is that not what you mean here? The rest of the changes sound good, I'll make those and resend. > > Thanks for working on this! Thanks for the review. Tycho