Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120229170933.GA6149@redhat.com>
Date: Wed, 29 Feb 2012 18:09:33 +0100
From: Oleg Nesterov <oleg@...hat.com>
To: Will Drewry <wad@...omium.org>
Cc: linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
        linux-doc@...r.kernel.org, kernel-hardening@...ts.openwall.com,
        netdev@...r.kernel.org, x86@...nel.org, arnd@...db.de,
        davem@...emloft.net, hpa@...or.com, mingo@...hat.com,
        peterz@...radead.org, rdunlap@...otime.net, mcgrathr@...omium.org,
        tglx@...utronix.de, luto@....edu, eparis@...hat.com,
        serge.hallyn@...onical.com, djm@...drot.org, scarybeasts@...il.com,
        indan@....nu, pmoore@...hat.com, akpm@...ux-foundation.org,
        corbet@....net, eric.dumazet@...il.com, markus@...omium.org,
        coreyb@...ux.vnet.ibm.com, keescook@...omium.org,
        Denys Vlasenko <dvlasenk@...hat.com>
Subject: Re: [PATCH v11 10/12] ptrace,seccomp: Add PTRACE_SECCOMP support

On 02/29, Will Drewry wrote:
> On Wed, Feb 29, 2012 at 10:14 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> > On 02/28, Will Drewry wrote:
> >>
> >> On Tue, Feb 28, 2012 at 11:04 AM, Will Drewry <wad@...omium.org> wrote:
> >> > On Tue, Feb 28, 2012 at 10:43 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> >> >>
> >> >> Great. In this case this patch becomes really trivial. Just 2 defines
> >> >> in ptrace.h and the unconditional ptrace_event() under SECCOMP_RET_TRACE.
> >>
> >> hrm the only snag is that I can't then rely on TIF_SYSCALL_TRACE to
> >> ensure seccomp is in the slow-path.  Right now, on x86, seccomp is
> >> slow-path, but it doesn't have to be to have the syscall and args.
> >> However, for ptrace to behavior properly, I believed it did need to be
> >> in the slow path.  If SECCOMP_RET_TRACE doesn't rely on
> >> PTRACE_SYSCALL, then it introduces a need for seccomp to always be in
> >> the slow path or to flag (somehow) when it needs slow path.
> >
> > My understanding of this magic is very limited, and I'm afraid
> > I misunderstood... So please correct me.
> >
> > But what is the problem? system_call checks _TIF_WORK_SYSCALL_ENTRY
> > which includes _TIF_SECCOMP | _TIF_SYSCALL_TRACE, and jumps to
> > tracesys which does SAVE_REST.
> >
> > Anyway. secure_computing() is called by syscall_trace_enter() which
> > also calls tracehook_report_syscall_entry(). If SECCOMP_RET_TRACE
> > can't do ptrace_event() then why tracehook_report_syscall_entry() is
> > fine?
>
> Early on in this patch series, I was urged away from regviews (for
> many reasons), one of them was so that seccomp could, at some point,
> be fast-path'd like audit is for x86.  (It may be on arm already, I'd
> need to check.)  So I was hoping that I could avoid adding a slow-path
> dependency to the seccomp code.

Thanks, now I see what you meant.

> By adding a requirement for the
> slow-path in the form of ptrace_event(), the difficulty for making
> seccomp fast-path friendly is increased.

Yes. I do not know if this is really bad. I mean, I do not know how
much do we want the fast-path'd seccomp.

> (It could be possible to add
> a return code, e.g., return NEEDS_SLOW_PATH, which tells the fast path
> code to restart the handling at syscall_trace_enter, so maybe I am
> making a big deal out of nothing.)

Probably. Or SECCOMP_RET_TRACE can set TIF_NOTIFY_RESUME.

(Btw there is another alternative although imho PTRACE_EVENT_SECCOMP
 looks better. SECCOMP_RET_TRACE can simply set TIF_SYSCALL_TRACE and
 return, syscall_trace_enter() will report the syscall. If we make it
 fast-path'ed, then TIF_NOTIFY_RESUME should trigger the slow path)

> I was hoping to avoid having TIF_SECCOMP imply the slow-path, but if
> that is the only sane way to integrate, then I can leave making it
> fast-path friendly as a future exercise.
>
> If I'm over-optimizing,

may be ;) but it is very possible I underestimate the problem.

I'd like to know what Roland thinks.

Oleg.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.