From: Andrew Morton <akpm@linux-foundation•org>
To: Will Drewry <wad@chromium•org>
Cc: linux-kernel@vger•kernel.org,
linux-security-module@vger•kernel.org,
linux-arch@vger•kernel.org, linux-doc@vger•kernel.org,
kernel-hardening@lists•openwall.com, netdev@vger•kernel.org,
x86@kernel•org, arnd@arndb•de, davem@davemloft•net,
hpa@zytor•com, mingo@redhat•com, oleg@redhat•com,
peterz@infradead•org, rdunlap@xenotime•net,
mcgrathr@chromium•org, tglx@linutronix•de, luto@mit•edu,
eparis@redhat•com, serge.hallyn@canonical•com, djm@mindrot•org,
scarybeasts@gmail•com, indan@nul•nu, pmoore@redhat•com,
corbet@lwn•net, eric.dumazet@gmail•com, markus@chromium•org,
coreyb@linux•vnet.ibm.com, keescook@chromium•org,
jmorris@namei•org
Subject: Re: [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO
Date: Fri, 6 Apr 2012 14:19:36 -0700 [thread overview]
Message-ID: <20120406141936.25d68860.akpm@linux-foundation.org> (raw)
In-Reply-To: <1333051320-30872-11-git-send-email-wad@chromium.org>
On Thu, 29 Mar 2012 15:01:55 -0500
Will Drewry <wad@chromium•org> wrote:
> This change adds the SECCOMP_RET_ERRNO as a valid return value from a
> seccomp filter. Additionally, it makes the first use of the lower
> 16-bits for storing a filter-supplied errno. 16-bits is more than
> enough for the errno-base.h calls.
>
> Returning errors instead of immediately terminating processes that
> violate seccomp policy allow for broader use of this functionality
> for kernel attack surface reduction. For example, a linux container
> could maintain a whitelist of pre-existing system calls but drop
> all new ones with errnos. This would keep a logically static attack
> surface while providing errnos that may allow for graceful failure
> without the downside of do_exit() on a bad call.
>
>
> ...
>
> @@ -64,11 +65,17 @@ struct seccomp {
> struct seccomp_filter *filter;
> };
>
> -extern void __secure_computing(int);
> -static inline void secure_computing(int this_syscall)
> +/*
> + * Direct callers to __secure_computing should be updated as
> + * CONFIG_HAVE_ARCH_SECCOMP_FILTER propagates.
Are there any such callers? There's one I see in arm, but it's called
from assembly code.
> + */
> +extern void __secure_computing(int) __deprecated;
> +extern int __secure_computing_int(int);
> +static inline int secure_computing(int this_syscall)
> {
> if (unlikely(test_thread_flag(TIF_SECCOMP)))
> - __secure_computing(this_syscall);
> + return __secure_computing_int(this_syscall);
> + return 0;
> }
>
> ...
>
> void __secure_computing(int this_syscall)
> {
> + /* Filter calls should never use this function. */
> + BUG_ON(current->seccomp.mode == SECCOMP_MODE_FILTER);
> + __secure_computing_int(this_syscall);
> +}
> +
> +int __secure_computing_int(int this_syscall)
What the heck does "_int" mean here? I read it as "integer" but
perhaps it's shorthand for "internal". Give us a better name, please.
Or a code comment.
> +{
> int mode = current->seccomp.mode;
> int exit_sig = 0;
> int *syscall;
> + u32 ret = SECCOMP_RET_KILL;
> + int data;
>
> switch (mode) {
> case SECCOMP_MODE_STRICT:
next prev parent reply other threads:[~2012-04-06 21:19 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-29 20:01 [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering Will Drewry
2012-03-29 20:01 ` [PATCH v17 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Will Drewry
2012-04-06 19:49 ` Andrew Morton
2012-04-06 19:55 ` Andy Lutomirski
2012-04-06 20:47 ` Markus Gutschke
2012-04-06 20:54 ` Andrew Lutomirski
2012-04-06 21:04 ` Markus Gutschke
2012-04-06 21:15 ` Andrew Lutomirski
2012-04-06 21:32 ` Markus Gutschke
2012-04-10 19:12 ` Will Drewry
[not found] ` <1333051320-30872-2-git-send-email-wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
2012-04-06 19:55 ` Andrew Morton
2012-04-06 20:01 ` Andrew Lutomirski
2012-04-06 20:28 ` Jonathan Corbet
2012-04-06 20:37 ` Andrew Lutomirski
2012-04-11 19:31 ` Michael Kerrisk (man-pages)
2012-04-12 0:15 ` Michael Kerrisk (man-pages)
2012-04-12 0:50 ` Andrew Lutomirski
2012-04-16 19:11 ` Rob Landley
2012-04-10 20:37 ` Rob Landley
2012-04-10 19:03 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 02/15] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Will Drewry
2012-03-29 20:01 ` [PATCH v17 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Will Drewry
2012-03-29 20:01 ` [PATCH v17 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-03-29 20:01 ` [PATCH v17 05/15] seccomp: kill the seccomp_t typedef Will Drewry
2012-03-29 20:01 ` [PATCH v17 06/15] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-03-29 20:01 ` [PATCH v17 07/15] asm/syscall.h: add syscall_get_arch Will Drewry
2012-04-06 20:05 ` Andrew Morton
2012-04-09 19:24 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 08/15] seccomp: add system call filtering using BPF Will Drewry
2012-03-31 4:40 ` Vladimir Murzin
2012-03-31 18:14 ` Will Drewry
2012-04-06 20:23 ` Andrew Morton
2012-04-06 20:44 ` Kees Cook
2012-04-06 21:05 ` Andrew Morton
2012-04-06 21:06 ` H. Peter Anvin
2012-04-06 21:09 ` Andrew Morton
2012-04-08 18:22 ` Indan Zupancic
2012-04-09 19:59 ` Will Drewry
2012-04-10 9:48 ` James Morris
2012-04-10 20:00 ` Andrew Morton
2012-04-10 20:16 ` Will Drewry
2012-04-10 10:34 ` Eric Dumazet
2012-04-10 19:54 ` Andrew Morton
2012-04-10 20:15 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 09/15] seccomp: remove duplicated failure logging Will Drewry
2012-04-06 21:14 ` Andrew Morton
2012-04-09 19:26 ` Will Drewry
2012-04-09 19:32 ` Kees Cook
2012-04-09 19:33 ` Eric Paris
2012-04-09 19:39 ` [kernel-hardening] " Kees Cook
2012-03-29 20:01 ` [PATCH v17 10/15] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-04-06 21:19 ` Andrew Morton [this message]
2012-04-09 19:19 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 11/15] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-03-29 20:01 ` [PATCH v17 12/15] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-03-29 20:01 ` [PATCH v17 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-04-06 21:24 ` Andrew Morton
2012-04-09 19:38 ` Will Drewry
2012-03-29 20:01 ` [PATCH v17 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-03-29 20:02 ` [PATCH v17 15/15] Documentation: prctl/seccomp_filter Will Drewry
2012-04-06 21:26 ` Andrew Morton
2012-04-09 19:46 ` Will Drewry
2012-04-09 20:47 ` Markus Gutschke
2012-04-09 20:58 ` Ryan Ware
2012-04-09 22:47 ` Will Drewry
2012-04-10 17:49 ` Ryan Ware
2012-03-29 23:11 ` [PATCH v17 00/15] seccomp_filter: BPF-based syscall filtering James Morris
2012-04-06 21:28 ` Andrew Morton
2012-04-09 3:48 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120406141936.25d68860.akpm@linux-foundation.org \
--to=akpm@linux-foundation$(echo .)org \
--cc=arnd@arndb$(echo .)de \
--cc=corbet@lwn$(echo .)net \
--cc=coreyb@linux$(echo .)vnet.ibm.com \
--cc=davem@davemloft$(echo .)net \
--cc=djm@mindrot$(echo .)org \
--cc=eparis@redhat$(echo .)com \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=hpa@zytor$(echo .)com \
--cc=indan@nul$(echo .)nu \
--cc=jmorris@namei$(echo .)org \
--cc=keescook@chromium$(echo .)org \
--cc=kernel-hardening@lists$(echo .)openwall.com \
--cc=linux-arch@vger$(echo .)kernel.org \
--cc=linux-doc@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-security-module@vger$(echo .)kernel.org \
--cc=luto@mit$(echo .)edu \
--cc=markus@chromium$(echo .)org \
--cc=mcgrathr@chromium$(echo .)org \
--cc=mingo@redhat$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=oleg@redhat$(echo .)com \
--cc=peterz@infradead$(echo .)org \
--cc=pmoore@redhat$(echo .)com \
--cc=rdunlap@xenotime$(echo .)net \
--cc=scarybeasts@gmail$(echo .)com \
--cc=serge.hallyn@canonical$(echo .)com \
--cc=tglx@linutronix$(echo .)de \
--cc=wad@chromium$(echo .)org \
--cc=x86@kernel$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox