From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932409AbcKIA5A (ORCPT <rfc822;w@1wt.eu>);
        Tue, 8 Nov 2016 19:57:00 -0500
Received: from mail-wm0-f46.google.com ([74.125.82.46]:38801 "EHLO
        mail-wm0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932329AbcKIA44 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Nov 2016 19:56:56 -0500
MIME-Version: 1.0
In-Reply-To: <20161109004757.lpbpsdgyzvld7ute@x>
References: <cover.c693f10dfc19e12c214758e4b13ca9b4e4cf9668.1478650356.git-series.josh@joshtriplett.org>
 <b5c45594261252a486b891090eba8f10aa7ed329.1478650356.git-series.josh@joshtriplett.org>
 <CAGXu5j+V11oF0gcqBQTsBMgetsSdRqLQffobhyEbze82gbW2vA@mail.gmail.com> <20161109004757.lpbpsdgyzvld7ute@x>
From: Kees Cook <keescook@chromium.org>
Date: Tue, 8 Nov 2016 16:56:54 -0800
X-Google-Sender-Auth: ihirHH5c0uWYILJuHLXToWzeVAg
Message-ID: <CAGXu5jK-dh0DYGp=syrJb6NQ6x_FNBc-migCj4fvBHv4yvukpA@mail.gmail.com>
Subject: Re: [PATCH 2/2] kernel: Support compiling out the prctl syscall
To: Josh Triplett <josh@joshtriplett.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        Johannes Weiner <hannes@cmpxchg.org>, Arnd Bergmann <arnd@arndb.de>,
        Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
        Petr Mladek <pmladek@suse.com>, Thomas Garnier <thgarnie@google.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>,
        Zefan Li <lizefan@huawei.com>, Li Bin <huawei.libin@huawei.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Dmitry Vyukov <dvyukov@google.com>, Ralf Baechle <ralf@linux-mips.org>,
        Alex Thorlton <athorlton@sgi.com>, Michal Hocko <mhocko@suse.com>,
        Mateusz Guzik <mguzik@redhat.com>,
        Cyrill Gorcunov <gorcunov@openvz.org>,
        John Stultz <john.stultz@linaro.org>,
        Al Viro <viro@zeniv.linux.org.uk>, Zach Brown <zab@redhat.com>,
        Anna Schumaker <Anna.Schumaker@netapp.com>,
        Dave Hansen <dave.hansen@intel.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 8, 2016 at 4:47 PM, Josh Triplett <josh@joshtriplett.org> wrote:
> On Tue, Nov 08, 2016 at 04:40:02PM -0800, Kees Cook wrote:
>> On Tue, Nov 8, 2016 at 4:18 PM, Josh Triplett <josh@joshtriplett.org> wrote:
>> > Some embedded systems can do without the prctl syscall, saving some
>> > space.
>> >
>> > This also avoids regular increases in tinyconfig size as people add more
>> > non-optional functionality to prctl (observed via the 0-day kernel
>> > infrastructure).
>> >
>> > bloat-o-meter results:
>> >
>> > add/remove: 0/3 grow/shrink: 0/1 up/down: 0/-2143 (-2143)
>> > function                                     old     new   delta
>> > offsets                                       23      12     -11
>> > prctl_set_auxv                                97       -     -97
>> > sys_prctl                                    794       -    -794
>> > prctl_set_mm                                1241       -   -1241
>> > Total: Before=1902583, After=1900440, chg -0.11%
>> >
>> > Signed-off-by: Josh Triplett <josh@joshtriplett.org>
>>
>> I'm absolutely a fan of doing this, but I wonder how this interacts
>> with the LSMs that define prctl hooks, etc. I wouldn't expect a system
>> that didn't want prctl to want an LSM, but maybe the LSMs all need to
>> depend on CONFIG_PRCTL now?
>
> I did think about that (as well as SECCOMP), but I did confirm that the
> kernel builds fine with allyesconfig minus CONFIG_PRCTL.  An LSM that
> wants to restrict access to some prctls should be fine with no process
> having any access to prctl. :)  Beyond that, anything wanting
> configuration via LSM (such as SECCOMP) still exists and functions, even
> if you can't access it from outside the kernel.

Okay, testing that is good, thanks.

Seccomp can use the seccomp() syscall, so missing prctl isn't a big deal there.

Things like Yama, though, are almost useless in the !PRCTL case. I
think a "depends on PRCTL" should be added at least to Yama. All the
other LSMs are configured in other ways, and they'll just have some
dead code around their prctl hooks; no big deal.

This does also beg the question about how to configure some process
behaviors by default if PRCTL is disabled, but if people want those
things, they can write patches, I would think. :)

-Kees

-- 
Kees Cook
Nexus Security