[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 2/3] seccomp_filters: system call filtering using BPF



Quoting Will Drewry (wad@xxxxxxxxxxxx):
> [This patch depends on luto@xxxxxxx's no_new_privs patch:
>  https://lkml.org/lkml/2012/1/12/446
> ]
> 
> This patch adds support for seccomp mode 2.  This mode enables dynamic
> enforcement of system call filtering policy in the kernel as specified
> by a userland task.  The policy is expressed in terms of a Berkeley
> Packet Filter program, as is used for userland-exposed socket filtering.
> Instead of network data, the BPF program is evaluated over struct
> seccomp_filter_data at the time of the system call.
> 
> A filter program may be installed by a userland task by calling
>   prctl(PR_ATTACH_SECCOMP_FILTER, &fprog);
> where fprog is of type struct sock_fprog.
> 
> If the first filter program allows subsequent prctl(2) calls, then
> additional filter programs may be attached.  All attached programs
> must be evaluated before a system call will be allowed to proceed.
> 
> To avoid CONFIG_COMPAT related landmines, once a filter program is
> installed using specific is_compat_task() value, it is not allowed to
> make system calls using the alternate entry point.
> 
> Filter programs will be inherited across fork/clone and execve, however
> the installation of filters must be preceded by setting 'no_new_privs'
> to ensure that unprivileged tasks cannot attach filters that affect
> privileged tasks (e.g., setuid binary).  Tasks with CAP_SYS_ADMIN
> in their namespace may install inheritable filters without setting
> the no_new_privs bit.
> 
> There are a number of benefits to this approach. A few of which are
> as follows:
> - BPF has been exposed to userland for a long time.
> - Userland already knows its ABI: system call numbers and desired
>   arguments
> - No time-of-check-time-of-use vulnerable data accesses are possible.
> - system call arguments are loaded on demand only to minimize copying
>   required for system call number-only policy decisions.
> 
> This patch includes its own BPF evaluator, but relies on the
> net/core/filter.c BPF checking code.  It is possible to share
> evaluators, but the performance sensitive nature of the network
> filtering path makes it an iterative optimization which (I think :) can
> be tackled separately via separate patchsets. (And at some point sharing
> BPF JIT code!)
> 
>  v6: - fix memory leak on attach compat check failure
>      - require no_new_privs || CAP_SYS_ADMIN prior to filter
>        installation. (luto@xxxxxxx)
>      - s/seccomp_struct_/seccomp_/ for macros/functions
>        (amwang@xxxxxxxxxx)
>      - cleaned up Kconfig (amwang@xxxxxxxxxx)
>      - on block, note if the call was compat (so the # means something)
>  v5: - uses syscall_get_arguments
>        (indan@xxxxxx,oleg@xxxxxxxxxx, mcgrathr@xxxxxxxxxxxx)
>      - uses union-based arg storage with hi/lo struct to
>        handle endianness.  Compromises between the two alternate
>        proposals to minimize extra arg shuffling and account for
>        endianness assuming userspace uses offsetof().
>        (mcgrathr@xxxxxxxxxxxx, indan@xxxxxx)
>      - update Kconfig description
>      - add include/seccomp_filter.h and add its installation
>      - (naive) on-demand syscall argument loading
>      - drop seccomp_t (eparis@xxxxxxxxxx)
>  v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS
>      - now uses current->no_new_privs
>          (luto@xxxxxxx,torvalds@xxxxxxxxxxxxxxxxxxxx)
>      - assign names to seccomp modes (rdunlap@xxxxxxxxxxxx)
>      - fix style issues (rdunlap@xxxxxxxxxxxx)
>      - reworded Kconfig entry (rdunlap@xxxxxxxxxxxx)
>  v3: - macros to inline (oleg@xxxxxxxxxx)
>      - init_task behavior fixed (oleg@xxxxxxxxxx)
>      - drop creator entry and extra NULL check (oleg@xxxxxxxxxx)
>      - alloc returns -EINVAL on bad sizing (serge.hallyn@xxxxxxxxxxxxx)
>      - adds tentative use of "always_unprivileged" as per
>        torvalds@xxxxxxxxxxxxxxxxxxxx and luto@xxxxxxx
>  v2: - (patch 2 only)
> 
> Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>

Hi Will,

as far as I can tell based on changelog I suspect you could have
kept my Acked-by (from v3?).  However, I'll wait until your next
submission (as I see there were a few change requests), and do a
final complete new review of that.

Thanks for continuing to push on this.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux