Re: [PATCH v10 05/11] seccomp: add system call filtering using BPF |
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH v10 05/11] seccomp: add system call filtering using BPF
- From: "H. Peter Anvin" <hpa@xxxxxxxxx>
- Date: Wed, 22 Feb 2012 11:53:42 -0800
- Cc: Indan Zupancic <indan@xxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, linux-arch@xxxxxxxxxxxxxxx, linux-doc@xxxxxxxxxxxxxxx, kernel-hardening@xxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, x86@xxxxxxxxxx, arnd@xxxxxxxx, davem@xxxxxxxxxxxxx, mingo@xxxxxxxxxx, oleg@xxxxxxxxxx, peterz@xxxxxxxxxxxxx, rdunlap@xxxxxxxxxxxx, mcgrathr@xxxxxxxxxxxx, tglx@xxxxxxxxxxxxx, luto@xxxxxxx, eparis@xxxxxxxxxx, serge.hallyn@xxxxxxxxxxxxx, djm@xxxxxxxxxxx, scarybeasts@xxxxxxxxx, pmoore@xxxxxxxxxx, akpm@xxxxxxxxxxxxxxxxxxxx, corbet@xxxxxxx, eric.dumazet@xxxxxxxxx, markus@xxxxxxxxxxxx, keescook@xxxxxxxxxxxx
- In-reply-to: <CABqD9hYTLNrQKzYiRV6yN-z_mYyfPR=3W1P6nC+VmYmFGE1vQg@mail.gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0
On 02/22/2012 11:47 AM, Will Drewry wrote:
>>
>> I highly disagree with every filter having to check the mode: Filters that
>> don't check the arch on e.g. x86 are buggy, so they have to check it, even
>> if it's a 32-bit or 64-bit only system, the filters can't know that and
>> needs to check the arch at every syscall entry. All other info in the data
>> depends on the arch, because of this there isn't much code to share between
>> the two archs, so you can as well have one filter for each arch.
>>
>> Alternative approach: Tell the arch at filter install time and only run the
>> filters with the same arch as the current system call. If no filters are run,
>> deny the systemcall.
>
> This was roughly how I first implemented compat and non-compat
> support. It causes some implicit behavior across inheritance that is
> not nice though.
>
This is trivially doable at the BPF level, right? Just make this the
first instruction in the program (either deny or jump to a separate
program branch)... and then there is still "one program" without any
weird inheritance issues?
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Kernel Discussion]
[Ethernet Bridging]
[Linux Wireless Networking]
[Linux Bluetooth Networking]
[Linux Networking Users]
[VLAN]
[Git]
[IETF Annouce]
[Linux Assembly]
[Security]
[Bugtraq]
[Photo]
[Singles Social Networking]
[Yosemite Information]
[MIPS Linux]
[ARM Linux Kernel]
[ARM Linux]
[Linux Virtualization]
[Linux Security]
[Linux IDE]
[Linux RAID]
[Linux SCSI]
[Free Dating]
