From: Kees Cook <keescook@chromium.org>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: LKML <linux-kernel@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Daniel Borkmann <daniel@iogearbox.net>,
David Drysdale <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
James Morris <james.l.morris@oracle.com>,
Jann Horn <jann@thejh.net>, Jonathan Corbet <corbet@lwn.net>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Paul Moore <paul@paul-moore.com>,
Sargun Dhillon <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
Shuah Khan <shuah@kernel.org>, Tejun Heo <tj@kernel.org>,
Thomas Graf <tgraf@suug.ch>, Will Drewry <wad@chromium.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy
Date: Tue, 18 Apr 2017 16:48:16 -0700 [thread overview]
Message-ID: <CAGXu5jJnsHXvvuqfb3Rcw7HvubUEPoNQUmUVuRoc4_hqPpg4WQ@mail.gmail.com> (raw)
In-Reply-To: <a3c71579-4238-0967-b61d-522859f740aa@digikod.net>
On Tue, Apr 18, 2017 at 4:24 PM, Mickaël Salaün <mic@digikod.net> wrote:
> On 19/04/2017 00:53, Kees Cook wrote:
>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <mic@digikod.net> wrote:
>>> +#ifdef CONFIG_SECCOMP_FILTER
>>
>> Isn't CONFIG_SECCOMP_FILTER already required for landlock?
>
> Yes it is, but Landlock could only/also be used through cgroups in the
> future. :)
Hm, okay. I still feel like the configs could be more sensible. :)
>>> @@ -1405,7 +1409,13 @@ static void copy_seccomp(struct task_struct *p)
>>>
>>> /* Ref-count the new filter user, and assign it. */
>>> get_seccomp_filter(current);
>>> - p->seccomp = current->seccomp;
>>> + p->seccomp.mode = current->seccomp.mode;
>>> + p->seccomp.filter = current->seccomp.filter;
>>> +#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_SECURITY_LANDLOCK)
>>> + p->seccomp.landlock_events = current->seccomp.landlock_events;
>>> + if (p->seccomp.landlock_events)
>>> + atomic_inc(&p->seccomp.landlock_events->usage);
>>> +#endif /* CONFIG_SECCOMP_FILTER && CONFIG_SECURITY_LANDLOCK */
>>
>> Hrm. So, this needs config cleanup as above. Also, I'm going to need
>> some help understanding the usage tracking on landlock_events (which
>> should use a get/put rather than open-coding the _inc). I don't see
>> why individual assignments are needed here. The only thing that
>> matters is the usage bump. I would have expected no changes at all in
>> this code, actually. The filter and the events share the same usage
>> don't they?
>
> Right, I can move the struct landlock_event into the struct
> seccomp_filter. This should make the code cleaner.
No, that wasn't my point. I meant that since landlock_events is
already in ->seccomp, it's already copied by p->seccomp =
current->seccomp. The only thing you need is a
get_seccomp_landlock(current) call before the copy:
get_seccomp_filter(current);
get_seccomp_landlock(current);
p->seccomp = current->seccomp;
done! :)
And get_seccomp_landlock() can do a check for landlock_events existing, etc etc.
>>> + if (!new_events) {
>>> + /*
>>> + * If there is no Landlock events used by the current task,
>>> + * then create a new one.
>>> + */
>>> + new_events = new_landlock_events();
>>> + if (IS_ERR(new_events))
>>> + goto put_rule;
>>
>> Shouldn't bpf_prog_put() get called in the face of a rule failure too?
>> Why separate exit paths?
>
> You're right but put_landlock_rule() call bpf_prog_put() by itself.
Ah! Missed that, thanks!
>>> + } else if (atomic_read(¤t_events->usage) > 1) {
>>> + /*
>>> + * If the current task is not the sole user of its Landlock
>>> + * events, then duplicate them.
>>> + */
>>> + size_t i;
>>> +
>>> + new_events = new_landlock_events();
>>> + if (IS_ERR(new_events))
>>> + goto put_rule;
>>> + for (i = 0; i < ARRAY_SIZE(new_events->rules); i++) {
>>> + new_events->rules[i] =
>>> + lockless_dereference(current_events->rules[i]);
>>> + if (new_events->rules[i])
>>> + atomic_inc(&new_events->rules[i]->usage);
>>
>> I was going to ask: isn't the top-level usage counter sufficient to
>> track rule lifetime? But I think I see how things are tracked now:
>> each task_struct points to an array of rule list pointers. These
>> tables are duplicated when additions are made (which means each table
>> needs to be refcounted for the processes using it), and when a new
>> table is created, all the refcounters on the rules are bumped (to
>> track each table that references the rule), and when a new rule is
>> added, it's just prepended to the list for the new table to point at.
>
> That's right.
Okay, excellent. This should end up in a comment somewhere so when I
forget I can go read it again. ;)
>> Does this mean that rules are processed in reverse?
>
> Yes, the rules are processed from the newest to the oldest, as
> seccomp-bpf does with filters.
Cool. If not already mentioned, that should end up in the docs somewhere.
>>> + if (copy_from_user(&bpf_fd, user_bpf_fd, sizeof(bpf_fd)))
>>> + return -EFAULT;
>>
>> I think this can just be get_user()?
>
> Yes, I didn't know about that.
No worries. It's nice for small things. :)
>>> + prog = bpf_prog_get(bpf_fd);
>>> + if (IS_ERR(prog))
>>> + return PTR_ERR(prog);
>>> +
>>> + /*
>>> + * We don't need to lock anything for the current process hierarchy,
>>> + * everything is guarded by the atomic counters.
>>> + */
>>> + new_events = landlock_append_prog(current->seccomp.landlock_events,
>>> + prog);
>>> + /* @prog is managed/freed by landlock_append_prog() */
>>
>> Does kmemcheck notice this "leak"? (i.e. is further annotation needed?)
>
> I didn't enable kmemcheck, I will take a look at it.
Yeah, I'd turn on at least these while you're testing:
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_ATOMIC_SLEEP=y
CONFIG_DEBUG_KMEMLEAK=y
I'm sure people will suggest more, too. :)
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-04-18 23:48 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-28 23:46 [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2017-03-29 13:48 ` kbuild test robot
2017-04-18 21:48 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock Mickaël Salaün
2017-04-16 21:57 ` Mickaël Salaün
2017-04-18 21:58 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 03/11] bpf: Define handle_fs and add a new helper bpf_handle_fs_get_mode() Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem Mickaël Salaün
2017-03-29 15:18 ` kbuild test robot
2017-04-18 22:17 ` Kees Cook
2017-04-18 22:44 ` Mickaël Salaün
2017-04-18 23:16 ` Casey Schaufler
2017-04-18 23:40 ` Kees Cook
2017-04-19 22:03 ` Mickaël Salaün
2017-04-19 23:58 ` [kernel-hardening] " Casey Schaufler
2017-04-20 1:48 ` Kees Cook
2017-04-18 23:39 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() Mickaël Salaün
2017-04-18 22:23 ` Kees Cook
2017-04-18 22:47 ` Mickaël Salaün
2017-04-19 22:18 ` Mickaël Salaün
2017-04-20 1:54 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy Mickaël Salaün
2017-03-29 10:35 ` [kernel-hardening] " Djalal Harouni
2017-03-31 21:15 ` Mickaël Salaün
2017-04-18 22:54 ` Kees Cook
2017-04-18 22:53 ` Kees Cook
2017-04-18 23:24 ` Mickaël Salaün
2017-04-18 23:48 ` Kees Cook [this message]
2017-03-28 23:46 ` [PATCH net-next v6 07/11] landlock: Add ptrace restrictions Mickaël Salaün
2017-04-10 6:48 ` [kernel-hardening] " Djalal Harouni
2017-04-11 7:19 ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 08/11] bpf: Add a Landlock sandbox example Mickaël Salaün
2017-04-18 23:06 ` Kees Cook
2017-04-18 23:35 ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism Mickaël Salaün
2017-04-19 0:02 ` Kees Cook
2017-04-19 21:51 ` Mickaël Salaün
2017-04-19 22:02 ` Kees Cook
2017-04-19 22:05 ` Mickaël Salaün
2017-04-20 1:50 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock Mickaël Salaün
2017-04-18 23:16 ` Kees Cook
2017-04-18 23:53 ` Mickaël Salaün
2017-04-18 23:59 ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 11/11] landlock: Add user and kernel documentation " Mickaël Salaün
2017-03-29 15:58 ` kbuild test robot
2017-04-18 23:26 ` [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing Kees Cook
2017-04-19 0:12 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jJnsHXvvuqfb3Rcw7HvubUEPoNQUmUVuRoc4_hqPpg4WQ@mail.gmail.com \
--to=keescook@chromium.org \
--cc=acme@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ast@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=jann@thejh.net \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mic@digikod.net \
--cc=mjg59@srcf.ucam.org \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sargun@sargun.me \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).