On 04/10/2016 01:46, Kees Cook wrote:
> On Wed, Sep 14, 2016 at 6:19 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> On Wed, Sep 14, 2016 at 3:14 PM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
>>>
>>> On 14/09/2016 20:29, Andy Lutomirski wrote:
>>>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
>>>>> This third origin of hook call should cover all possible trigger paths
>>>>> (e.g. page fault). Landlock eBPF programs can then take decisions
>>>>> accordingly.
>>>>>
>>>>> Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
>>>>> Cc: Alexei Starovoitov <ast@xxxxxxxxxx>
>>>>> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
>>>>> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
>>>>> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
>>>>> ---
>>>>
>>>>
>>>>>
>>>>> + if (unlikely(in_interrupt())) {
>>>>
>>>> IMO security hooks have no business being called from interrupts.
>>>> Aren't they all synchronous things done by tasks? Interrupts are
>>>> driver things.
>>>>
>>>> Are you trying to check for page faults and such?
>>>
>>> Yes, that was the idea you did put in my mind. Not sure how to deal with
>>> this.
>>>
>>
>> It's not so easy, unfortunately. The easiest reliable way might be to
>> set a TS_ flag on all syscall entries when TIF_SECCOMP or similar is
>> set.
>
> For making this series smaller, let's leave the idea idea of interrupt
> hooks out -- the intention is for stricter syscall filtering, yes?
>
> Once things are more well established and there's a use-case for this,
> it can be added back in.
Right, I'm no more convinced it's worth it.
Attachment:
signature.asc
Description: OpenPGP digital signature
