Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <eab10cc7834be3c720147a6b24769840.squirrel@webmail.greenhost.nl>
Date: Fri, 17 Feb 2012 02:25:55 +0100
From: "Indan Zupancic" <indan@....nu>
To: "Andrew Lutomirski" <luto@....edu>
Cc: "H. Peter Anvin" <hpa@...or.com>,
 "Will Drewry" <wad@...omium.org>,
 linux-kernel@...r.kernel.org,
 linux-arch@...r.kernel.org,
 linux-doc@...r.kernel.org,
 kernel-hardening@...ts.openwall.com,
 netdev@...r.kernel.org,
 x86@...nel.org,
 arnd@...db.de,
 davem@...emloft.net,
 mingo@...hat.com,
 oleg@...hat.com,
 peterz@...radead.org,
 rdunlap@...otime.net,
 mcgrathr@...omium.org,
 tglx@...utronix.de,
 eparis@...hat.com,
 serge.hallyn@...onical.com,
 djm@...drot.org,
 scarybeasts@...il.com,
 pmoore@...hat.com,
 akpm@...ux-foundation.org,
 corbet@....net,
 eric.dumazet@...il.com,
 markus@...omium.org,
 keescook@...omium.org
Subject: Re: [PATCH v8 3/8] seccomp: add system call filtering using BPF

On Fri, February 17, 2012 01:51, Andrew Lutomirski wrote:
> IMO the best solution is to have the One True Seccomp Filter Compiler
> (tm).  It would handle multiple namespaces, cross-arch differences,
> and such, and it would do it correctly.  It could live in the kernel
> tree.

I'm not interested in any such compiler, if I use this BPF thing I'll use
it directly by scanning my syscall table info and converting it to a BPF
filter for the cases where it's possible. This code will be cross-platform,
all the platform dependent info comes from the syscall table.

It seems I'll just build a bitmask telling what to do for each syscall,
with special cases for the few syscalls that can be handled totally within
BPF by checking the arguments.

My total lines of code is 5k now, I'm not going to use a complex thousands
of lines, badly tested, probably buggy compiler just for BPF support.

> Without something like that or an incredible amount of special care,
> actual portability is probably a pipe dream.

The filter programs are already platform dependent because of the syscall
numbers and sometimes args differences. But that is no reason to make it
even less cross-platform.

Your OTSF compiler won't be able to handle different modes other than
adding a check at the start and having totally orthogonal codes for the
different cases. You can as well have separate filters then. Any other
approach dies because of the added complexity or will be a lot slower.

Greetings,

Indan


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.