Re: [PATCH v12 07/13] seccomp: add SECCOMP_RET_ERRNO

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original message -----
> On Fri, Mar 2, 2012 at 12:24 PM, Serge E. Hallyn <serge@xxxxxxxxxx>
> wrote:
> > Quoting Will Drewry (wad@xxxxxxxxxxxx):
> > > This change adds the SECCOMP_RET_ERRNO as a valid return value from a
> > > seccomp filter.  Additionally, it makes the first use of the lower
> > > 16-bits for storing a filter-supplied errno.  16-bits is more than
> > > enough for the errno-base.h calls.
> > > 
> > > Returning errors instead of immediately terminating processes that
> > > violate seccomp policy allow for broader use of this functionality
> > > for kernel attack surface reduction.  For example, a linux container
> > > could maintain a whitelist of pre-existing system calls but drop
> > > all new ones with errnos.  This would keep a logically static attack
> > > surface while providing errnos that may allow for graceful failure
> > > without the downside of do_exit() on a bad call.
> > > 
> > > v12: - move to WARN_ON if filter is NULL
> > >        (oleg@xxxxxxxxxx, luto@xxxxxxx, keescook@xxxxxxxxxxxx)
> > >      - return immediately for filter==NULL (keescook@xxxxxxxxxxxx)
> > >      - change evaluation to only compare the ACTION so that layered
> > >        errnos don't result in the lowest one being returned.
> > >        (keeschook@xxxxxxxxxxxx)
> > > v11: - check for NULL filter (keescook@xxxxxxxxxxxx)
> > > v10: - change loaders to fn
> > >  v9: - n/a
> > >  v8: - update Kconfig to note new need for syscall_set_return_value.
> > >      - reordered such that TRAP behavior follows on later.
> > >      - made the for loop a little less indent-y
> > >  v7: - introduced
> > > 
> > > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> > > Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>
> > 
> > Clever :)
> > 
> > Thanks, Will.
> > 
> > For patches 1-7,
> > 
> > Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> 
> Thanks!
> 
> > The -1 return value from __secure_computing_int() seems like it
> > could stand  #define, like
> > 
> > #define SECCOMP_DONTRUN -1
> > #define SECCOMP_RUN 0
> > 
> > or something Maybe not, but -1 always scares me and I had to look back
> > and forth a few times to make sure it was doing what I would want.
> 
> Works for me.   The -1 just matches what syscall emulation, etc does on
> x86.   I'll add this to the tweaks for v14.
> 
> Thanks!

Well, in that case maybe it's not worth it.  Sounds
like ignorance on my part.

thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux