On Sat, May 07, 2022 at 02:11:04PM +0200, Christian Brauner wrote: > On Sat, Apr 30, 2022 at 12:34:52PM +0200, Arnd Bergmann wrote: > > On Sat, Apr 30, 2022 at 12:05 PM Huacai Chen <chenhuacai@xxxxxxxxx> wrote: > > > On Sat, Apr 30, 2022 at 5:45 PM Arnd Bergmann <arnd@xxxxxxxx> wrote: > > > > On Sat, Apr 30, 2022 at 11:05 AM Huacai Chen <chenhuacai@xxxxxxxxxxx> wrote: > > > > > > > > > > This patch adds system call support and related uaccess.h for LoongArch. > > > > > > > > > > Q: Why keep __ARCH_WANT_NEW_STAT definition while there is statx: > > > > > A: Until the latest glibc release (2.34), statx is only used for 32-bit > > > > > platforms, or 64-bit platforms with 32-bit timestamp. I.e., Most 64- > > > > > bit platforms still use newstat now. > > > > > > > > > > Q: Why keep _ARCH_WANT_SYS_CLONE definition while there is clone3: > > > > > A: The latest glibc release (2.34) has some basic support for clone3 but > > > > > it isn't complete. E.g., pthread_create() and spawni() have converted > > > > > to use clone3 but fork() will still use clone. Moreover, some seccomp > > > > > related applications can still not work perfectly with clone3. E.g., > > > > > Chromium sandbox cannot work at all and there is no solution for it, > > > > > which is more terrible than the fork() story [1]. > > > > > > > > > > [1] https://chromium-review.googlesource.com/c/chromium/src/+/2936184 > > > > > > > > I still think these have to be removed. There is no mainline glibc or musl > > > > port yet, and neither of them should actually be required. Please remove > > > > them here, and modify your libc patches accordingly when you send those > > > > upstream. > > > > > > If this is just a problem that can be resolved by upgrading > > > glibc/musl, I will remove them. But the Chromium problem (or sandbox > > > problem in general) seems to have no solution now. > > > > I added Christian Brauner to Cc now, maybe he has come across the > > sandbox problem before and has an idea for a solution. > > (I just got back from LSFMM so I'll reply in more detail next week. I'm > still pretty jet-lagged.) Right, I forgot about the EPERM/ENOSYS sandbox thread. Kees and I gave a talk about this problem at LPC 2019 (see [2]). The proposed solutions back then was to add basic deep argument inspection for first-level pointers to seccomp. There are problems with this approach such as not useable on second-level pointers (although we concluded that's ok) and if the input args are very large copying stuff from within seccomp becomes rather costly and in general the various approaches seemed handwavy at the time. If seccomp were to be made to support some basic form of eBPF such that it can still be safely called by unprivileged users then this would likely be easier to do (famous last words) but given that the stance has traditionally bee to not port seccomp it remains a tricky patch. Some time after that I talked to Mathieu Desnoyers about this issue who used another angle of attack. The idea seems less complicated to me. Instead of argument inspection we introduce basic syscall argument checksumming for seccomp. It would only be done when seccomp is interested in syscall input args and checksumming would be per syscall argument. It would be validated within the syscall when it actually reads the arguments; again, only if seccomp is used. If the checksums mismatch an error is returned or the calling process terminated. There's one case that deserves mentioning: since we introduced the seccomp notifier we do allow advanced syscall interception and we do use it extensively in various projects. Roughly, it works by allowing a userspace process (the "supervisor") to listen on a seccomp fd. The seccomp fd is an fd referring to the filter of a target task (the "supervisee"). When the supervisee performs a syscall listed in the seccomp notify filter the supervisor will receive a notification on the seccomp fd for the filter. I mention this because it is possible for the supervisor to e.g. intercept an bpf() system call and then modify/create/attach a bpf program for the supervisee and then update fields in the supervisee's bpf struct that was passed to the bpf() syscall by it. So the supervisor might rewrite syscall args and continue the syscall (In general, it's not recommeneded because of TOCTOU. But still doable in certain scenarios where we can guarantee that this is safe even if syscall args are rewritten to something else by a MIT attack.). Arguably, the checksumming approach could even be made to work with this if the seccomp fd learns a new ioctl() or similar to safely update the checksum. I can try and move a poc for this up the todo list. Without an approach like this certain sandboxes will fallback to ENOSYSing system calls they can't filter. This is a generic problem though with clone3() being one promiment example. [2]: https://www.youtube.com/watch?v=PnOSPsRzVYM&list=PLVsQ_xZBEyN2Ol7y8axxhbTsG47Va3Se2