Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <acabbed13c4f02e653879844a9cbddef.squirrel@webmail.greenhost.nl>
Date: Thu, 24 May 2012 19:54:50 +0200
From: "Indan Zupancic" <indan@....nu>
To: "Will Drewry" <wad@...omium.org>
Cc: linux-kernel@...r.kernel.org,
 mcgrathr@...gle.com,
 hpa@...or.com,
 netdev@...isplace.org,
 linux-security-module@...r.kernel.org,
 kernel-hardening@...ts.openwall.com,
 mingo@...hat.com,
 oleg@...hat.com,
 peterz@...radead.org,
 rdunlap@...otime.net,
 tglx@...utronix.de,
 luto@....edu,
 serge.hallyn@...onical.com,
 pmoore@...hat.com,
 akpm@...ux-foundation.org,
 corbet@....net,
 markus@...omium.org,
 coreyb@...ux.vnet.ibm.com,
 keescook@...omium.org,
 viro@...iv.linux.org.uk,
 jmorris@...ei.org,
 "Will Drewry" <wad@...omium.org>
Subject: Re: [RFC PATCH 1/3] seccomp: Don't allow tracers to abuse RET_TRACE

On Thu, May 24, 2012 18:07, Will Drewry wrote:
> Ensure that consumers of the PTRACE_EVENT_SECCOMP notification
> cannot change the system call number for the traced task
> without it resulting in the system call being skipped.
>
> Traditionally, tracers will set the system call number to
> -1 to skip the system call. This behavior will work as expected
> but the tracer will be unable to remap the system call to a valid
> system call after the seccomp policy has been evaluated.
>
> Signed-off-by: Will Drewry <wad@...omium.org>
> ---
>  kernel/seccomp.c |    4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index ee376be..33f0ad6 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -425,6 +425,10 @@ int __secure_computing(int this_syscall)
>  			 */
>  			if (fatal_signal_pending(current))
>  				break;
> +			/* Skip the system call if the tracer changed it. */
> +			if (this_syscall !=
> +			    syscall_get_nr(current, task_pt_regs(current)))
> +				goto skip;
>  			return 0;
>  		case SECCOMP_RET_ALLOW:
>  			return 0;
> --

This patch doesn't make any sense whatsoever. You can't know why a system
call was blocked by a seccomp filter, assuming it's always because of the
system call number is wrong.

Also, you don't check if an allowed system call is changed into a denied
one, so this doesn't protect against ptracers bypassing seccomp filters.

And one of the main points of PTRACE_EVENT_SECCOMP events was that it's
useful for cases that can't be handled or decided by the seccomp filter.
Then taking away the ability to change the syscall number makes it a lot
less useful.

Either do the seccomp test before or after ptrace, or both, but please
don't introduce ad hoc checks like this.

Greetings,

Indan


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.