Hey Tycho! On 08/09/2017 03:22 PM, Tycho Andersen wrote: > On Wed, Aug 09, 2017 at 12:01:53PM -0700, Kees Cook wrote: >> This series is the result of Fabricio and I going around a few times >> on possible solutions for finding a way to enhance RET_KILL to kill >> the process group. There's a lot of ways this could be done, but I >> wanted something that felt cleanest. As it happens, Tyler's recent >> patch series for logging improvement also needs to know a litte bit >> more during filter runs, and the solution for both is to pass back >> the matched filter. This lets us examine it here for RET_KILL and >> in the future for logging changes. >> >> The filter passing is patch 1, the new flag for RET_KILL is patch 2. >> Some test refactoring is in patch 3 for the RET_DATA ordering, and >> patch 4 is the test for the new RET_KILL flag. >> >> One thing missing is that CRIU will likely need to be updated, since >> saving/restoring seccomp filter _rules_ will not include the filter >> _flags_ for a process. This can be addressed separately. > > Thanks for the heads up, I suppose PTRACE_SECCOMP_GET_FLAGS similar to > how PTRACE_SECCOMP_GET_FILTER works will be fine for this. One > question is: would we then also need to keep track of the TSYNC flag? > I don't think CRIU needs this to be correct, and we can grab the > KILL_PROCESS flag from filter->kill_process, so perhaps it's moot. Note that the logging changes that I'm working on also introduce a new filter flag (as Kees mentioned above). My filter flag is a lot like the KILL_PROCESS filter flag in that it is stored as a member of the seccomp_filter struct. I would think that you'd want to be able to do something like PTRACE_SECCOMP_GET_FILTER to (hopefully) future proof CRIU against all newly added filter flags. I'll also mention that I have a libseccomp branch in the making that allows libseccomp to query the kernel to see if it supports a given filter flag. I haven't done a PR on that yet because I'm waiting to see how my related kernel patches play out (they seem to be getting close to being acceptable). Tyler > > Anyway, happy to do this and the userspace part when this lands. > > Cheers, > > Tycho > >> Please take a look! >> >> Thanks, >> >> -Kees >> >> v3: >> - adjust seccomp_run_filters() to avoid later filters from masking >> kill-process RET_KILL actions (drewry) >> - add test for masked RET_KILL. >> >> v2: >> - moved kill_process bool into struct padding gap (tyhicks) >> - improved comments/docs in various places for clarify (tyhicks) >> - use ASSERT_TRUE() for WIFEXITED and WIFSIGNALLED (tyhicks) >> - adding Reviewed-bys from tyhicks >>
Attachment:
signature.asc
Description: OpenPGP digital signature
