From: Will Drewry <wad@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Lutomirski <luto@mit.edu>, Oleg Nesterov <oleg@redhat.com>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com,
netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de,
davem@davemloft.net, hpa@zytor.com, mingo@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, eparis@redhat.com,
serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com
Subject: Re: [PATCH v11 07/12] seccomp: add SECCOMP_RET_ERRNO
Date: Mon, 27 Feb 2012 13:54:40 -0600 [thread overview]
Message-ID: <CABqD9hZQ7T4zPjKY3403yKDLXpVLBWHeKVxTKvQXnWAzmiksfQ@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5jJGiLSRSgQ1nssLSMY1V+9X3y4Uh-kMgQG7moa6PPj3bw@mail.gmail.com>
On Mon, Feb 27, 2012 at 1:14 PM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Feb 27, 2012 at 10:35 AM, Andrew Lutomirski <luto@mit.edu> wrote:
>> On Mon, Feb 27, 2012 at 10:14 AM, Oleg Nesterov <oleg@redhat.com> wrote:
>>> On 02/27, Kees Cook wrote:
>>>>
>>>> On Mon, Feb 27, 2012 at 9:11 AM, Oleg Nesterov <oleg@redhat.com> wrote:
>>>> > On 02/24, Will Drewry wrote:
>>>> >>
>>>> >> static u32 seccomp_run_filters(int syscall)
>>>> >> {
>>>> >> struct seccomp_filter *f;
>>>> >> - u32 ret = SECCOMP_RET_KILL;
>>>> >> static const struct bpf_load_fn fns = {
>>>> >> bpf_load,
>>>> >> sizeof(struct seccomp_data),
>>>> >> };
>>>> >> + u32 ret = SECCOMP_RET_ALLOW;
>>>> >> const void *sc_ptr = (const void *)(uintptr_t)syscall;
>>>> >>
>>>> >> + /* Ensure unexpected behavior doesn't result in failing open. */
>>>> >> + if (unlikely(current->seccomp.filter == NULL))
>>>> >> + ret = SECCOMP_RET_KILL;
>>>> >
>>>> > Is "seccomp.filter == NULL" really possible?
>>>>
>>>> It should not be, but I'm much more comfortable with this failing
>>>> closed. I think it's important to be as defensive as possible with
>>>> this code given its intended use.
>>>
>>> Can't resists... Sorry, I know I am troll but personally I think
>>> in this case the most defensive code is BUG_ON(->filter == NULL)
>>> or at least WARN_ON().
>>
>> Linus will probably object because he objected (correctly) to a very
>> similar problem in my old vsyscall emulation series. A userspace
>> security feature shouldn't have a failure mode in which it confuses
>> the kernel and results in an oops, unless the situation is really
>> unrecoverable. So WARN_ON plus do_exit would be okay but BUG_ON would
>> not.
>
> Yeah, actually, add WARN_ON would be preferred here because it should
> be an impossible situation. It should still fail closed, though:
>
> /* Ensure unexpected behavior doesn't result in failing open. */
> if (WARN_ON(current->seccomp.filter == NULL))
> return SECCOMP_RET_KILL;
I'll do that - thanks!
next prev parent reply other threads:[~2012-02-27 19:54 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-25 3:21 [PATCH v11 01/12] sk_run_filter: add support for custom load_pointer Will Drewry
2012-02-25 3:21 ` [PATCH v11 02/12] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-02-25 3:21 ` [PATCH v11 03/12] seccomp: kill the seccomp_t typedef Will Drewry
2012-02-25 3:21 ` [PATCH v11 04/12] asm/syscall.h: add syscall_get_arch Will Drewry
2012-02-25 3:21 ` [PATCH v11 05/12] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-02-25 3:21 ` [PATCH v11 06/12] seccomp: add system call filtering using BPF Will Drewry
2012-02-26 20:28 ` Kees Cook
2012-02-27 16:23 ` Will Drewry
2012-02-27 16:49 ` Eric Paris
2012-02-27 18:55 ` Kees Cook
2012-02-27 19:25 ` Eric Paris
2012-02-27 20:00 ` Kees Cook
2012-02-27 20:34 ` Eric Paris
2012-02-27 20:49 ` Kees Cook
2012-02-27 17:09 ` Oleg Nesterov
2012-02-27 19:54 ` Will Drewry
2012-02-27 20:15 ` Kees Cook
2012-02-28 15:13 ` Oleg Nesterov
2012-02-28 17:18 ` Will Drewry
2012-02-28 6:51 ` Indan Zupancic
2012-02-28 7:52 ` Kees Cook
2012-02-28 17:17 ` Will Drewry
2012-02-28 17:47 ` Markus Gutschke
2012-02-25 3:21 ` [PATCH v11 07/12] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-02-25 20:20 ` Kees Cook
2012-02-27 16:22 ` Will Drewry
2012-02-27 17:11 ` Oleg Nesterov
2012-02-27 18:09 ` Kees Cook
2012-02-27 18:14 ` Oleg Nesterov
2012-02-27 18:35 ` Andrew Lutomirski
2012-02-27 19:14 ` Kees Cook
2012-02-27 19:54 ` Will Drewry [this message]
2012-02-25 3:21 ` [PATCH v11 08/12] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-02-27 17:22 ` Oleg Nesterov
2012-02-27 17:34 ` Roland McGrath
2012-02-27 18:08 ` Oleg Nesterov
2012-02-27 20:24 ` Will Drewry
2012-02-28 16:02 ` Oleg Nesterov
2012-02-28 17:06 ` Will Drewry
2012-02-25 3:21 ` [PATCH v11 09/12] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-02-25 3:21 ` [PATCH v11 10/12] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-02-27 17:54 ` Oleg Nesterov
2012-02-27 19:47 ` Will Drewry
2012-02-28 16:43 ` Oleg Nesterov
2012-02-28 17:04 ` Will Drewry
2012-02-28 18:34 ` Will Drewry
2012-02-29 16:14 ` Oleg Nesterov
2012-02-29 16:33 ` Will Drewry
2012-02-29 17:09 ` Oleg Nesterov
2012-02-29 17:41 ` Roland McGrath
2012-02-29 17:51 ` Will Drewry
2012-02-25 3:21 ` [PATCH v11 11/12] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-02-25 3:21 ` [PATCH v11 12/12] Documentation: prctl/seccomp_filter Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABqD9hZQ7T4zPjKY3403yKDLXpVLBWHeKVxTKvQXnWAzmiksfQ@mail.gmail.com \
--to=wad@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=indan@nul.nu \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).