From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933576AbdBPUFz (ORCPT <rfc822;w@1wt.eu>);
        Thu, 16 Feb 2017 15:05:55 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:33105 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932740AbdBPUFx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Feb 2017 15:05:53 -0500
Subject: Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions
To: Andy Lutomirski <luto@amacapital.net>
References: <1487043928-5982-1-git-send-email-tyhicks@canonical.com>
 <1487043928-5982-2-git-send-email-tyhicks@canonical.com>
 <CALCETrUOvX3krKsrhZmU3QSq1JLX4F3TTV2B8_ybGjd4Yw2HAA@mail.gmail.com>
 <b02e5db8-08d4-752b-2f85-4f4e0a5799ed@canonical.com>
 <CALCETrV9NsTNRA_CqNTvqhE0WLDEBU8VjzPTaLOxcZ5XKc-4dw@mail.gmail.com>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
        Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>,
        linux-audit@redhat.com,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        John Crispin <john@phrozen.org>
From: Tyler Hicks <tyhicks@canonical.com>
Message-ID: <5ebcdb7f-4aca-34a0-abbd-81eb5372776d@canonical.com>
Date: Thu, 16 Feb 2017 14:05:41 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CALCETrV9NsTNRA_CqNTvqhE0WLDEBU8VjzPTaLOxcZ5XKc-4dw@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="PNr6eTEGrrHugjFE6LKI0374IbCot2KSK"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--PNr6eTEGrrHugjFE6LKI0374IbCot2KSK
Content-Type: multipart/mixed; boundary="PhH2tJ2NbaGxpHP18p4xDmC5ksF40HdiA";
 protected-headers="v1"
From: Tyler Hicks <tyhicks@canonical.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
 Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>,
 linux-audit@redhat.com,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
 John Crispin <john@phrozen.org>
Message-ID: <5ebcdb7f-4aca-34a0-abbd-81eb5372776d@canonical.com>
Subject: Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions
References: <1487043928-5982-1-git-send-email-tyhicks@canonical.com>
 <1487043928-5982-2-git-send-email-tyhicks@canonical.com>
 <CALCETrUOvX3krKsrhZmU3QSq1JLX4F3TTV2B8_ybGjd4Yw2HAA@mail.gmail.com>
 <b02e5db8-08d4-752b-2f85-4f4e0a5799ed@canonical.com>
 <CALCETrV9NsTNRA_CqNTvqhE0WLDEBU8VjzPTaLOxcZ5XKc-4dw@mail.gmail.com>
In-Reply-To: <CALCETrV9NsTNRA_CqNTvqhE0WLDEBU8VjzPTaLOxcZ5XKc-4dw@mail.gmail.com>

--PhH2tJ2NbaGxpHP18p4xDmC5ksF40HdiA
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 02/16/2017 01:01 PM, Andy Lutomirski wrote:
> On Thu, Feb 16, 2017 at 10:47 AM, Tyler Hicks <tyhicks@canonical.com> w=
rote:
>> On 02/15/2017 09:14 PM, Andy Lutomirski wrote:
>>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhicks@canonical.com> =
wrote:
>>>> This patch creates a read-only sysctl containing an ordered list of
>>>> seccomp actions that the kernel supports. The ordering, from left to=

>>>> right, is the lowest action value (kill) to the highest action value=

>>>> (allow). Currently, a read of the sysctl file would return "kill tra=
p
>>>> errno trace allow". The contents of this sysctl file can be useful f=
or
>>>> userspace code as well as the system administrator.
>>>
>>> Would this make more sense as a new seccomp(2) mode a la
>>> SECCOMP_HAS_ACTION?  Then sandboxy things that have no fs access coul=
d
>>> use it.
>>>
>>
>> It would make sense for code that needs to check which actions are
>> available. It wouldn't make sense for administrators that need to chec=
k
>> which actions are available unless libseccomp provided a wrapper utili=
ty.
>>
>> Is this a theoretical concern or do you know of a sandboxed piece of
>> code that cannot access the sysctl before constructing a seccomp filte=
r?
>>
>=20
> It's semi-theoretical.  But suppose I unshare namespaces, unmount a
> bunch of stuff, then ask libseccomp to install a filter.  (I've
> written code that does exactly that.)   libseccomp won't be able to
> read the sysctl.

That's a good point. It seems like we might need both mechanisms
(SECCOMP_HAS_ACTION for code and actions_avail for humans).

Tyler

>=20
> --Andy
>=20



--PhH2tJ2NbaGxpHP18p4xDmC5ksF40HdiA--

--PNr6eTEGrrHugjFE6LKI0374IbCot2KSK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYpgYVAAoJENaSAD2qAscKnGoQAIXpt1GNn0jfWUK0Vt5XFChh
fjZP0XpnLoFzr2ZAVs84U9Q8kq6t5KDNO8RBmElX7HC2YFMPQ1sJbZM6zZ3XKipI
y+fNpLZ1OUHCgllxq4z5YeIoetCmxQfu5yTWaedF0/bDZmKuGYGfjG3D/shBMpRx
S+Zc+0fwIJZJLHUBNj1WBSSzmocr7wnxIIo/eGnSaMKqNVhjdYFWftJh8jvLjXeN
6h1ZSiA99K+z73vyQ08bUaI3Ksju2sbVd2agzlGGkZI9oHJ3oRbDqeHD+DRA+hOK
26DTDxh/AY+doTRgFMxyrHZ48FBKEIKGvHVo04oTUAINfLpbZKdA6OQORXzKzQWg
5oqnm0t8TGeXp2WXdq8ewznxNmO19LqAkPpyAynZC5LA692VVaiVN/OZXkxPccuI
uMSVtNU0+0KFKr4ilRx0S7XMLXJJdgR8HkOJWLimTDkxYiXQBD4na8E4Eni97FwZ
Rh818srGIlDgQzaOVa2bqp933ijMEwEizUww7qu4HhOSEtDeUqhXD6bjlG5OjId9
oD49apMSdcf6D2e69PbGYT3UjGcHNjVSqtE9aywI/O0XO8gtuCNCU04i+GBhTMQn
ObM9dmg4dk98pwcTQHOcBALKhSbD2snyCQhC+fuVrzIRUC1xPWdEmo/AsrSCTDYu
2qZ6qxLaqkQpPb6oX44M
=7+GW
-----END PGP SIGNATURE-----

--PNr6eTEGrrHugjFE6LKI0374IbCot2KSK--