Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABqD9hZLi416irXMMPmysYohrOn1gQjhjDyKTggU80Kd7ywvcA@mail.gmail.com>
Date: Wed, 29 Feb 2012 10:33:35 -0600
From: Will Drewry <wad@...omium.org>
To: Oleg Nesterov <oleg@...hat.com>
Cc: linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org, 
	linux-doc@...r.kernel.org, kernel-hardening@...ts.openwall.com, 
	netdev@...r.kernel.org, x86@...nel.org, arnd@...db.de, davem@...emloft.net, 
	hpa@...or.com, mingo@...hat.com, peterz@...radead.org, rdunlap@...otime.net, 
	mcgrathr@...omium.org, tglx@...utronix.de, luto@....edu, eparis@...hat.com, 
	serge.hallyn@...onical.com, djm@...drot.org, scarybeasts@...il.com, 
	indan@....nu, pmoore@...hat.com, akpm@...ux-foundation.org, corbet@....net, 
	eric.dumazet@...il.com, markus@...omium.org, coreyb@...ux.vnet.ibm.com, 
	keescook@...omium.org, Denys Vlasenko <dvlasenk@...hat.com>
Subject: Re: [PATCH v11 10/12] ptrace,seccomp: Add PTRACE_SECCOMP support

On Wed, Feb 29, 2012 at 10:14 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> On 02/28, Will Drewry wrote:
>>
>> On Tue, Feb 28, 2012 at 11:04 AM, Will Drewry <wad@...omium.org> wrote:
>> > On Tue, Feb 28, 2012 at 10:43 AM, Oleg Nesterov <oleg@...hat.com> wrote:
>> >>
>> >> Great. In this case this patch becomes really trivial. Just 2 defines
>> >> in ptrace.h and the unconditional ptrace_event() under SECCOMP_RET_TRACE.
>>
>> hrm the only snag is that I can't then rely on TIF_SYSCALL_TRACE to
>> ensure seccomp is in the slow-path.  Right now, on x86, seccomp is
>> slow-path, but it doesn't have to be to have the syscall and args.
>> However, for ptrace to behavior properly, I believed it did need to be
>> in the slow path.  If SECCOMP_RET_TRACE doesn't rely on
>> PTRACE_SYSCALL, then it introduces a need for seccomp to always be in
>> the slow path or to flag (somehow) when it needs slow path.
>
> My understanding of this magic is very limited, and I'm afraid
> I misunderstood... So please correct me.
>
> But what is the problem? system_call checks _TIF_WORK_SYSCALL_ENTRY
> which includes _TIF_SECCOMP | _TIF_SYSCALL_TRACE, and jumps to
> tracesys which does SAVE_REST.
>
> Anyway. secure_computing() is called by syscall_trace_enter() which
> also calls tracehook_report_syscall_entry(). If SECCOMP_RET_TRACE
> can't do ptrace_event() then why tracehook_report_syscall_entry() is
> fine?

Early on in this patch series, I was urged away from regviews (for
many reasons), one of them was so that seccomp could, at some point,
be fast-path'd like audit is for x86.  (It may be on arm already, I'd
need to check.)  So I was hoping that I could avoid adding a slow-path
dependency to the seccomp code.

Right now, on x86, you are exactly right: Both seccomp and ptrace take
the slow path as part of _TIF_WORK_SYSCALL_ENTRY, and seccomp is only
called in syscall_trace_enter.  By adding a requirement for the
slow-path in the form of ptrace_event(), the difficulty for making
seccomp fast-path friendly is increased.  (It could be possible to add
a return code, e.g., return NEEDS_SLOW_PATH, which tells the fast path
code to restart the handling at syscall_trace_enter, so maybe I am
making a big deal out of nothing.)

I was hoping to avoid having TIF_SECCOMP imply the slow-path, but if
that is the only sane way to integrate, then I can leave making it
fast-path friendly as a future exercise.

If I'm over-optimizing, just say so, and I'll post the v12 with the
docs updated to indicate that, at present, seccomp filters requires
the slow path.  However, if you see a nice way to avoid the
dependency, I'd love to know!

Thanks!
will

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.