On Thu, Sep 24, 2020 at 3:52 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Thu, Sep 24, 2020 at 11:28:55AM -0400, Paul Moore wrote: > > On Thu, Sep 24, 2020 at 3:46 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > On Thu, Sep 24, 2020 at 01:47:47AM +0200, Jann Horn wrote: > > > > On Thu, Sep 24, 2020 at 1:29 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > > This emulates absolutely the most basic seccomp filters to figure out > > > > > if they will always give the same results for a given arch/nr combo. > > > > > > > > > > Nearly all seccomp filters are built from the following ops: > > > > > > > > > > BPF_LD | BPF_W | BPF_ABS > > > > > BPF_JMP | BPF_JEQ | BPF_K > > > > > BPF_JMP | BPF_JGE | BPF_K > > > > > BPF_JMP | BPF_JGT | BPF_K > > > > > BPF_JMP | BPF_JSET | BPF_K > > > > > BPF_JMP | BPF_JA > > > > > BPF_RET | BPF_K > > > > > > > > > > These are now emulated to check for accesses beyond seccomp_data::arch > > > > > or unknown instructions. > > > > > > > > > > Not yet implemented are: > > > > > > > > > > BPF_ALU | BPF_AND (generated by libseccomp and Chrome) > > > > > > > > BPF_AND is normally only used on syscall arguments, not on the syscall > > > > number or the architecture, right? And when a syscall argument is > > > > loaded, we abort execution anyway. So I think there is no need to > > > > implement those? > > > > > > Is that right? I can't actually tell what libseccomp is doing with > > > ALU|AND. It looks like it's using it for building jump lists? > > > > There is an ALU|AND op in the jump resolution code, but that is really > > just if libseccomp needs to fixup the accumulator because a code block > > is expecting a masked value (right now that would only be a syscall > > argument, not the syscall number itself). > > > > > Paul, Tom, under what cases does libseccomp emit ALU|AND into filters? > > > > Presently the only place where libseccomp uses ALU|AND is when the > > masked equality comparison is used for comparing syscall arguments > > (SCMP_CMP_MASKED_EQ). I can't honestly say I have any good > > information about how often that is used by libseccomp callers, but if > > I do a quick search on GitHub for "SCMP_CMP_MASKED_EQ" I see 2k worth > > of code hits; take that for whatever it is worth. Tom may have some > > more/better information. > > > > Of course no promises on future use :) As one quick example, I keep > > thinking about adding the instruction pointer to the list of things > > that can be compared as part of a libseccomp rule, and if we do that I > > would expect that we would want to also allow a masked comparison (and > > utilize another ALU|AND bpf op there). However, I'm not sure how > > useful that would be in practice. > > Okay, cool. Thanks for checking on that. It sounds like the arg-less > bitmap optimization can continue to ignore ALU|AND for now. :) What's really the worst that could happen anyways? (/me ducks) The worst case is the filter falls back to the current performance levels right? -- paul moore www.paul-moore.com
