linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Will Drewry <wad@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Lutomirski <luto@mit.edu>, Oleg Nesterov <oleg@redhat.com>,
	linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
	linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com,
	netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de,
	davem@davemloft.net, hpa@zytor.com, mingo@redhat.com,
	peterz@infradead.org, rdunlap@xenotime.net,
	mcgrathr@chromium.org, tglx@linutronix.de, eparis@redhat.com,
	serge.hallyn@canonical.com, djm@mindrot.org,
	scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
	akpm@linux-foundation.org, corbet@lwn.net,
	eric.dumazet@gmail.com, markus@chromium.org,
	coreyb@linux.vnet.ibm.com
Subject: Re: [PATCH v11 07/12] seccomp: add SECCOMP_RET_ERRNO
Date: Mon, 27 Feb 2012 13:54:40 -0600	[thread overview]
Message-ID: <CABqD9hZQ7T4zPjKY3403yKDLXpVLBWHeKVxTKvQXnWAzmiksfQ@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5jJGiLSRSgQ1nssLSMY1V+9X3y4Uh-kMgQG7moa6PPj3bw@mail.gmail.com>

On Mon, Feb 27, 2012 at 1:14 PM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Feb 27, 2012 at 10:35 AM, Andrew Lutomirski <luto@mit.edu> wrote:
>> On Mon, Feb 27, 2012 at 10:14 AM, Oleg Nesterov <oleg@redhat.com> wrote:
>>> On 02/27, Kees Cook wrote:
>>>>
>>>> On Mon, Feb 27, 2012 at 9:11 AM, Oleg Nesterov <oleg@redhat.com> wrote:
>>>> > On 02/24, Will Drewry wrote:
>>>> >>
>>>> >>  static u32 seccomp_run_filters(int syscall)
>>>> >>  {
>>>> >>       struct seccomp_filter *f;
>>>> >> -     u32 ret = SECCOMP_RET_KILL;
>>>> >>       static const struct bpf_load_fn fns = {
>>>> >>               bpf_load,
>>>> >>               sizeof(struct seccomp_data),
>>>> >>       };
>>>> >> +     u32 ret = SECCOMP_RET_ALLOW;
>>>> >>       const void *sc_ptr = (const void *)(uintptr_t)syscall;
>>>> >>
>>>> >> +     /* Ensure unexpected behavior doesn't result in failing open. */
>>>> >> +     if (unlikely(current->seccomp.filter == NULL))
>>>> >> +             ret = SECCOMP_RET_KILL;
>>>> >
>>>> > Is "seccomp.filter == NULL" really possible?
>>>>
>>>> It should not be, but I'm much more comfortable with this failing
>>>> closed. I think it's important to be as defensive as possible with
>>>> this code given its intended use.
>>>
>>> Can't resists... Sorry, I know I am troll but personally I think
>>> in this case the most defensive code is BUG_ON(->filter == NULL)
>>> or at least WARN_ON().
>>
>> Linus will probably object because he objected (correctly) to a very
>> similar problem in my old vsyscall emulation series.  A userspace
>> security feature shouldn't have a failure mode in which it confuses
>> the kernel and results in an oops, unless the situation is really
>> unrecoverable.  So WARN_ON plus do_exit would be okay but BUG_ON would
>> not.
>
> Yeah, actually, add WARN_ON would be preferred here because it should
> be an impossible situation. It should still fail closed, though:
>
>      /* Ensure unexpected behavior doesn't result in failing open. */
>      if (WARN_ON(current->seccomp.filter == NULL))
>              return SECCOMP_RET_KILL;

I'll do that - thanks!

  reply	other threads:[~2012-02-27 19:54 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-25  3:21 [PATCH v11 01/12] sk_run_filter: add support for custom load_pointer Will Drewry
2012-02-25  3:21 ` [PATCH v11 02/12] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-02-25  3:21 ` [PATCH v11 03/12] seccomp: kill the seccomp_t typedef Will Drewry
2012-02-25  3:21 ` [PATCH v11 04/12] asm/syscall.h: add syscall_get_arch Will Drewry
2012-02-25  3:21 ` [PATCH v11 05/12] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-02-25  3:21 ` [PATCH v11 06/12] seccomp: add system call filtering using BPF Will Drewry
2012-02-26 20:28   ` Kees Cook
2012-02-27 16:23     ` Will Drewry
2012-02-27 16:49       ` Eric Paris
2012-02-27 18:55         ` Kees Cook
2012-02-27 19:25           ` Eric Paris
2012-02-27 20:00             ` Kees Cook
2012-02-27 20:34               ` Eric Paris
2012-02-27 20:49                 ` Kees Cook
2012-02-27 17:09   ` Oleg Nesterov
2012-02-27 19:54     ` Will Drewry
2012-02-27 20:15       ` Kees Cook
2012-02-28 15:13       ` Oleg Nesterov
2012-02-28 17:18         ` Will Drewry
2012-02-28  6:51   ` Indan Zupancic
2012-02-28  7:52     ` Kees Cook
2012-02-28 17:17     ` Will Drewry
2012-02-28 17:47       ` Markus Gutschke
2012-02-25  3:21 ` [PATCH v11 07/12] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-02-25 20:20   ` Kees Cook
2012-02-27 16:22     ` Will Drewry
2012-02-27 17:11   ` Oleg Nesterov
2012-02-27 18:09     ` Kees Cook
2012-02-27 18:14       ` Oleg Nesterov
2012-02-27 18:35         ` Andrew Lutomirski
2012-02-27 19:14           ` Kees Cook
2012-02-27 19:54             ` Will Drewry [this message]
2012-02-25  3:21 ` [PATCH v11 08/12] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-02-27 17:22   ` Oleg Nesterov
2012-02-27 17:34     ` Roland McGrath
2012-02-27 18:08       ` Oleg Nesterov
2012-02-27 20:24     ` Will Drewry
2012-02-28 16:02       ` Oleg Nesterov
2012-02-28 17:06         ` Will Drewry
2012-02-25  3:21 ` [PATCH v11 09/12] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-02-25  3:21 ` [PATCH v11 10/12] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-02-27 17:54   ` Oleg Nesterov
2012-02-27 19:47     ` Will Drewry
2012-02-28 16:43       ` Oleg Nesterov
2012-02-28 17:04         ` Will Drewry
2012-02-28 18:34           ` Will Drewry
2012-02-29 16:14             ` Oleg Nesterov
2012-02-29 16:33               ` Will Drewry
2012-02-29 17:09                 ` Oleg Nesterov
2012-02-29 17:41                   ` Roland McGrath
2012-02-29 17:51                     ` Will Drewry
2012-02-25  3:21 ` [PATCH v11 11/12] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-02-25  3:21 ` [PATCH v11 12/12] Documentation: prctl/seccomp_filter Will Drewry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CABqD9hZQ7T4zPjKY3403yKDLXpVLBWHeKVxTKvQXnWAzmiksfQ@mail.gmail.com \
    --to=wad@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=corbet@lwn.net \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=davem@davemloft.net \
    --cc=djm@mindrot.org \
    --cc=eparis@redhat.com \
    --cc=eric.dumazet@gmail.com \
    --cc=hpa@zytor.com \
    --cc=indan@nul.nu \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@mit.edu \
    --cc=markus@chromium.org \
    --cc=mcgrathr@chromium.org \
    --cc=mingo@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=pmoore@redhat.com \
    --cc=rdunlap@xenotime.net \
    --cc=scarybeasts@gmail.com \
    --cc=serge.hallyn@canonical.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).