From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932154AbbFDSMM (ORCPT ); Thu, 4 Jun 2015 14:12:12 -0400 Received: from mail-vn0-f49.google.com ([209.85.216.49]:43125 "EHLO mail-vn0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752330AbbFDSMI (ORCPT ); Thu, 4 Jun 2015 14:12:08 -0400 MIME-Version: 1.0 In-Reply-To: <20150604171501.GI3160@smitten> References: <1433369396-13360-1-git-send-email-tycho.andersen@canonical.com> <20150604171501.GI3160@smitten> Date: Thu, 4 Jun 2015 11:12:07 -0700 X-Google-Sender-Auth: 3kSvTpi1tHE3sB6ex0wWkJIjpcQ Message-ID: Subject: Re: [PATCH v2] seccomp: add ptrace options for suspend/resume From: Kees Cook To: Tycho Andersen Cc: LKML , Linux API , Andy Lutomirski , Will Drewry , Roland McGrath , Oleg Nesterov , Pavel Emelyanov , "Serge E. Hallyn" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 4, 2015 at 10:15 AM, Tycho Andersen wrote: > On Thu, Jun 04, 2015 at 09:44:36AM -0700, Kees Cook wrote: >> On Wed, Jun 3, 2015 at 3:09 PM, Tycho Andersen >> wrote: >> > This patch is the first step in enabling checkpoint/restore of processes >> > with seccomp enabled. >> > >> > One of the things CRIU does while dumping tasks is inject code into them >> > via ptrace to collect information that is only available to the process >> > itself. However, if we are in a seccomp mode where these processes are >> > prohibited from making these syscalls, then what CRIU does kills the task. >> > >> > This patch adds a new ptrace option, PTRACE_O_SUSPEND_SECCOMP, that enables >> > a task from the init user namespace which has CAP_SYS_ADMIN and no seccomp >> > filters to disable (and re-enable) seccomp filters for another task so that >> > they can be successfully dumped (and restored). We restrict the set of >> > processes that can disable seccomp through ptrace because although today >> > ptrace can be used to bypass seccomp, there is some discussion of closing >> > this loophole in the future and we would like this patch to not depend on >> > that behavior and be future proofed for when it is removed. >> > >> > Note that seccomp can be suspended before any filters are actually >> > installed; this behavior is useful on criu restore, so that we can suspend >> > seccomp, restore the filters, unmap our restore code from the restored >> > process' address space, and then resume the task by detaching and have the >> > filters resumed as well. >> > >> > v2 changes: >> > >> > * require that the tracer have no seccomp filters installed >> > * drop TIF_NOTSC manipulation from the patch >> > * change from ptrace command to a ptrace option and use this ptrace option >> > as the flag to check. This means that as soon as the tracer >> > detaches/dies, seccomp is re-enabled and as a corrollary that one can not >> > disable seccomp across PTRACE_ATTACHs. >> >> This feature gives me the creeps, but I think it's okay. > > :D > >> Could it be >> further restricted so that the process doing the suspension is already >> ptracing the target? > > As far as I understand it you do have to PTRACE_{ATTACH,SEIZE} to the > target before setting options in general. Is that not what you mean > here? Ah, true, yes. Okay, ignore me. I was thinking about the mechanism for setting the flag wrong. :) -Kees > > The rest of the changes sound good, I'll make those and resend. > >> >> Thanks for working on this! > > Thanks for the review. > > Tycho -- Kees Cook Chrome OS Security