On Thu, Sep 24, 2020 at 04:46:05PM -0400, Paul Moore wrote: > On Thu, Sep 24, 2020 at 3:52 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Thu, Sep 24, 2020 at 11:28:55AM -0400, Paul Moore wrote: > > > On Thu, Sep 24, 2020 at 3:46 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > On Thu, Sep 24, 2020 at 01:47:47AM +0200, Jann Horn wrote: > > > > > On Thu, Sep 24, 2020 at 1:29 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > > > This emulates absolutely the most basic seccomp filters to figure out > > > > > > if they will always give the same results for a given arch/nr combo. > > > > > > > > > > > > Nearly all seccomp filters are built from the following ops: > > > > > > > > > > > > BPF_LD | BPF_W | BPF_ABS > > > > > > BPF_JMP | BPF_JEQ | BPF_K > > > > > > BPF_JMP | BPF_JGE | BPF_K > > > > > > BPF_JMP | BPF_JGT | BPF_K > > > > > > BPF_JMP | BPF_JSET | BPF_K > > > > > > BPF_JMP | BPF_JA > > > > > > BPF_RET | BPF_K > > > > > > > > > > > > These are now emulated to check for accesses beyond seccomp_data::arch > > > > > > or unknown instructions. > > > > > > > > > > > > Not yet implemented are: > > > > > > > > > > > > BPF_ALU | BPF_AND (generated by libseccomp and Chrome) > > > > > > > > > > BPF_AND is normally only used on syscall arguments, not on the syscall > > > > > number or the architecture, right? And when a syscall argument is > > > > > loaded, we abort execution anyway. So I think there is no need to > > > > > implement those? > > > > > > > > Is that right? I can't actually tell what libseccomp is doing with > > > > ALU|AND. It looks like it's using it for building jump lists? > > > > > > There is an ALU|AND op in the jump resolution code, but that is really > > > just if libseccomp needs to fixup the accumulator because a code block > > > is expecting a masked value (right now that would only be a syscall > > > argument, not the syscall number itself). > > > > > > > Paul, Tom, under what cases does libseccomp emit ALU|AND into filters? > > > > > > Presently the only place where libseccomp uses ALU|AND is when the > > > masked equality comparison is used for comparing syscall arguments > > > (SCMP_CMP_MASKED_EQ). I can't honestly say I have any good > > > information about how often that is used by libseccomp callers, but if > > > I do a quick search on GitHub for "SCMP_CMP_MASKED_EQ" I see 2k worth > > > of code hits; take that for whatever it is worth. Tom may have some > > > more/better information. > > > > > > Of course no promises on future use :) As one quick example, I keep > > > thinking about adding the instruction pointer to the list of things > > > that can be compared as part of a libseccomp rule, and if we do that I > > > would expect that we would want to also allow a masked comparison (and > > > utilize another ALU|AND bpf op there). However, I'm not sure how > > > useful that would be in practice. > > > > Okay, cool. Thanks for checking on that. It sounds like the arg-less > > bitmap optimization can continue to ignore ALU|AND for now. :) > > What's really the worst that could happen anyways? (/me ducks) The > worst case is the filter falls back to the current performance levels > right? Worse case for adding complexity to verifier is the bitmaps can be tricked into a bad state, but I've tried to design this so that it can only fail toward just running the filter. :) -- Kees Cook
