On Tue, May 19, 2020 at 12:48:46PM +1000, Aleksa Sarai wrote: > On 2020-05-19, Jann Horn <jannh@xxxxxxxxxx> wrote: > > On Mon, May 18, 2020 at 11:05 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > ## deep argument inspection > > > > > > Background: seccomp users would like to write filters that traverse > > > the user pointers passed into many syscalls, but seccomp can't do this > > > dereference for a variety of reasons (mostly involving race conditions and > > > rearchitecting the entire kernel syscall and copy_from_user() code flows). > > > > Also, other than for syscall entry, it might be worth thinking about > > whether we want to have a special hook into seccomp for io_uring. > > io_uring is growing support for more and more syscalls, including > > things like openat2, connect, sendmsg, splice and so on, and that list > > is probably just going to grow in the future. If people start wanting > > to use io_uring in software with seccomp filters, it might be > > necessary to come up with some mechanism to prevent io_uring from > > permitting access to almost everything else... > > > > Probably not a big priority for now, but something to keep in mind for > > the future. > > Indeed. Quite a few people have raised concerns about io_uring and its > debug-ability, but I agree that another less-commonly-mentioned concern > should be how you restrict io_uring(2) from doing operations you've > disallowed through seccomp. Though obviously user_notif shouldn't be > allowed. :D As soon as you switch kernels to an io_uring supported kernel while maintaing a blacklist without updating all your seccomp filters you're currently hosed (Yes, blacklists aren't great but they have their uses.). Christian
