From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6088C4346E for ; Fri, 25 Sep 2020 03:11:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 971E9206C1 for ; Fri, 25 Sep 2020 03:11:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eOBo1Dk5" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727032AbgIYDL3 (ORCPT ); Thu, 24 Sep 2020 23:11:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726738AbgIYDL3 (ORCPT ); Thu, 24 Sep 2020 23:11:29 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 600FBC0613CE; Thu, 24 Sep 2020 20:11:29 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id d6so1797767pfn.9; Thu, 24 Sep 2020 20:11:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4ySqE1hRmF9Ut683kpqXH3+Ug8FaOyeb/lR8F0Fj7WM=; b=eOBo1Dk5p71aOus/dqAJ5VrtH0vlEUxqA/HX/NYAH316KAy2KiDxLZ+RHBbSiGGOLC fK0M41WRXhGjY9h1joZWds6hPj2ODt92H9A8vGV6qTyOXSrttaLuU3Ca0rT+hQXa2Hc8 RnEVYQ20u5JFb6w/sofhSYAz7Y19aoL1sD4YMVwoe9yWPr31Csn0MzMhDauTqPYuuWow ZFIOuwU5e+R5uY49sI3IFKYCR+vUEDrF7oVauM/7vMjbn99qllOZWnoJfn0sPR+blKv+ hvOId1dlpBj+QvDV9av1m4Ktj1oGIee23S8yDcbQEEc7uhKSOV5LcWqviLoQ0bsA7pOh YC4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4ySqE1hRmF9Ut683kpqXH3+Ug8FaOyeb/lR8F0Fj7WM=; b=YhqBX8tIWgOCM0/8FRX/63dAbcbovQ1GNErUrFSuM2ysuz50HJ+wvizcjFAGZDcKb9 u/MvYWnDD0l02awUqDXlN5aV7+61pzb1uhbEqOI6NTEXXksC2gijfQAE+cKwjKHCZUsl aSvnUFehuxn7DFzDuVYlloCG31sQF/l95BerDML5hSOMQCIcjoStP9CucW3X8vzfEnvG i2A5d9zavd/U2tDTG6fqczY/+8t076F747g6p7Y4fDV9IjIp0Le47Yj4ukK4NhZqoO+6 oWXhCXFXdRyPy0GnghC87nTulNw2vYLnz0wasBUVR0L+BgQaI7Kvtg07vfr585RUqC8H x21w== X-Gm-Message-State: AOAM532O8PirBCyL05NoeUsun7ep9RMcFfU5LSV+OmEehHyqzMFLCaGL bwU8NX1w7spt5GzsOz8UIuM8Ha7d6C8vLhv7lO0= X-Google-Smtp-Source: ABdhPJzW6eDnzhk2FnjrkoXEDFOI42OK+sDY3QodTZzLs9uOSntOF7enBAOqFgHMxIhE8UdI3EgqLjF9FLBZICuokXM= X-Received: by 2002:aa7:8d4c:0:b029:150:f692:4129 with SMTP id s12-20020aa78d4c0000b0290150f6924129mr2179043pfe.11.1601003488655; Thu, 24 Sep 2020 20:11:28 -0700 (PDT) MIME-Version: 1.0 References: <202009241647.2239747F0@keescook> In-Reply-To: <202009241647.2239747F0@keescook> From: YiFei Zhu Date: Thu, 24 Sep 2020 22:11:17 -0500 Message-ID: Subject: Re: [PATCH v2 seccomp 6/6] seccomp/cache: Report cache data through /proc/pid/seccomp_cache To: Kees Cook Cc: Linux Containers , YiFei Zhu , bpf , kernel list , Aleksa Sarai , Andrea Arcangeli , Andy Lutomirski , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jack Chen , Jann Horn , Josep Torrellas , Tianyin Xu , Tobin Feldman-Fitzthum , Tycho Andersen , Valentin Rothberg , Will Drewry Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 24, 2020 at 6:56 PM Kees Cook wrote: > > This file is guarded by CONFIG_PROC_SECCOMP_CACHE with a default > The question of permissions is my central concern here: who should see > this? Some contained processes have been intentionally blocked from > self-introspection so even the "standard" high bar of "ptrace attach > allowed?" can't always be sufficient. > > My compromise about filter visibility in the past was saying that > CAP_SYS_ADMIN was required (see seccomp_get_filter()). I'm nervous to > weaken this. (There is some work that hasn't been sent upstream yet that > is looking to expose the filter _contents_ via /proc that has been > nervous too.) > > Now full contents vs "allow"/"filter" are certainly different things, > but I don't feel like I've got enough evidence to show that this > introspection would help debugging enough to justify the partially > imagined safety of not exposing it to potential attackers. Agreed. I'm inclined to make it CONFIG_DEBUG_SECCOMP_CACHE and guarded by a CAP just to make it "debug only". > I suspect it _is_ the right thing to do (just look at my own RFC's > "debug" patch), but I'd like this to be well justified in the commit > log. > > And yes, while it does hide behind a CONFIG, I'd still want it justified, > especially since distros have a tendency to just turn everything on > anyway. ;) Is there something to stop a config from being enabled in an allyesconfig? I remember seeing something like that. Else if someone is manually selecting we can add a help text with a big banner... > But behavior-wise, yeah, I like it; I'm fine with human-readable and > full AUDIT_ARCH values. (Though, as devil's advocate again, to repeat > Jann's own words back: do we want to add this only to have a new UAPI to > support going forward?) Is this something we want to keep stable? YiFei Zhu