On Fri, Oct 9, 2020 at 7:15 PM YiFei Zhu <zhuyifei1999@xxxxxxxxx> wrote: > > From: YiFei Zhu <yifeifz2@xxxxxxxxxxxx> > > SECCOMP_CACHE will only operate on syscalls that do not access > any syscall arguments or instruction pointer. To facilitate > this we need a static analyser to know whether a filter will > return allow regardless of syscall arguments for a given > architecture number / syscall number pair. This is implemented > here with a pseudo-emulator, and stored in a per-filter bitmap. > > In order to build this bitmap at filter attach time, each filter is > emulated for every syscall (under each possible architecture), and > checked for any accesses of struct seccomp_data that are not the "arch" > nor "nr" (syscall) members. If only "arch" and "nr" are examined, and > the program returns allow, then we can be sure that the filter must > return allow independent from syscall arguments. > > Nearly all seccomp filters are built from these cBPF instructions: > > BPF_LD | BPF_W | BPF_ABS > BPF_JMP | BPF_JEQ | BPF_K > BPF_JMP | BPF_JGE | BPF_K > BPF_JMP | BPF_JGT | BPF_K > BPF_JMP | BPF_JSET | BPF_K > BPF_JMP | BPF_JA > BPF_RET | BPF_K > BPF_ALU | BPF_AND | BPF_K > > Each of these instructions are emulated. Any weirdness or loading > from a syscall argument will cause the emulator to bail. > > The emulation is also halted if it reaches a return. In that case, > if it returns an SECCOMP_RET_ALLOW, the syscall is marked as good. > > Emulator structure and comments are from Kees [1] and Jann [2]. > > Emulation is done at attach time. If a filter depends on more > filters, and if the dependee does not guarantee to allow the > syscall, then we skip the emulation of this syscall. > > [1] https://lore.kernel.org/lkml/20200923232923.3142503-5-keescook@xxxxxxxxxxxx/ > [2] https://lore.kernel.org/lkml/CAG48ez1p=dR_2ikKq=xVxkoGg0fYpTBpkhJSv1w-6BG=76PAvw@xxxxxxxxxxxxxx/ [...] > @@ -682,6 +693,150 @@ seccomp_prepare_user_filter(const char __user *user_filter) > return filter; > } > > +#ifdef SECCOMP_ARCH_NATIVE > +/** > + * seccomp_is_const_allow - check if filter is constant allow with given data > + * @fprog: The BPF programs > + * @sd: The seccomp data to check against, only syscall number are arch > + * number are considered constant. nit: s/syscall number are arch number/syscall number and arch number/ > + */ > +static bool seccomp_is_const_allow(struct sock_fprog_kern *fprog, > + struct seccomp_data *sd) > +{ > + unsigned int insns; > + unsigned int reg_value = 0; > + unsigned int pc; > + bool op_res; > + > + if (WARN_ON_ONCE(!fprog)) > + return false; > + > + insns = bpf_classic_proglen(fprog); bpf_classic_proglen() is defined as: #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) so this is wrong - what you want is the number of instructions in the program, what you actually have is the size of the program in bytes. Please instead check for `pc < fprog->len` in the loop condition. > + for (pc = 0; pc < insns; pc++) { > + struct sock_filter *insn = &fprog->filter[pc]; > + u16 code = insn->code; > + u32 k = insn->k; [...] > + } > + > + /* ran off the end of the filter?! */ > + WARN_ON(1); > + return false; > +}
