On Thu, Feb 2, 2012 at 7:32 AM, Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx> wrote: > Quoting Will Drewry (wad@xxxxxxxxxxxx): >> [This patch depends on luto@xxxxxxx's no_new_privs patch: >> https://lkml.org/lkml/2012/1/12/446 >> ] >> >> This patch adds support for seccomp mode 2. This mode enables dynamic >> enforcement of system call filtering policy in the kernel as specified >> by a userland task. The policy is expressed in terms of a Berkeley >> Packet Filter program, as is used for userland-exposed socket filtering. >> Instead of network data, the BPF program is evaluated over struct >> seccomp_filter_data at the time of the system call. >> >> A filter program may be installed by a userland task by calling >> prctl(PR_ATTACH_SECCOMP_FILTER, &fprog); >> where fprog is of type struct sock_fprog. >> >> If the first filter program allows subsequent prctl(2) calls, then >> additional filter programs may be attached. All attached programs >> must be evaluated before a system call will be allowed to proceed. >> >> To avoid CONFIG_COMPAT related landmines, once a filter program is >> installed using specific is_compat_task() value, it is not allowed to >> make system calls using the alternate entry point. >> >> Filter programs will be inherited across fork/clone and execve, however >> the installation of filters must be preceded by setting 'no_new_privs' >> to ensure that unprivileged tasks cannot attach filters that affect >> privileged tasks (e.g., setuid binary). Tasks with CAP_SYS_ADMIN >> in their namespace may install inheritable filters without setting >> the no_new_privs bit. >> >> There are a number of benefits to this approach. A few of which are >> as follows: >> - BPF has been exposed to userland for a long time. >> - Userland already knows its ABI: system call numbers and desired >> arguments >> - No time-of-check-time-of-use vulnerable data accesses are possible. >> - system call arguments are loaded on demand only to minimize copying >> required for system call number-only policy decisions. >> >> This patch includes its own BPF evaluator, but relies on the >> net/core/filter.c BPF checking code. It is possible to share >> evaluators, but the performance sensitive nature of the network >> filtering path makes it an iterative optimization which (I think :) can >> be tackled separately via separate patchsets. (And at some point sharing >> BPF JIT code!) >> >> v6: - fix memory leak on attach compat check failure >> - require no_new_privs || CAP_SYS_ADMIN prior to filter >> installation. (luto@xxxxxxx) >> - s/seccomp_struct_/seccomp_/ for macros/functions >> (amwang@xxxxxxxxxx) >> - cleaned up Kconfig (amwang@xxxxxxxxxx) >> - on block, note if the call was compat (so the # means something) >> v5: - uses syscall_get_arguments >> (indan@xxxxxx,oleg@xxxxxxxxxx, mcgrathr@xxxxxxxxxxxx) >> - uses union-based arg storage with hi/lo struct to >> handle endianness. Compromises between the two alternate >> proposals to minimize extra arg shuffling and account for >> endianness assuming userspace uses offsetof(). >> (mcgrathr@xxxxxxxxxxxx, indan@xxxxxx) >> - update Kconfig description >> - add include/seccomp_filter.h and add its installation >> - (naive) on-demand syscall argument loading >> - drop seccomp_t (eparis@xxxxxxxxxx) >> v4: - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS >> - now uses current->no_new_privs >> (luto@xxxxxxx,torvalds@xxxxxxxxxxxxxxxxxxxx) >> - assign names to seccomp modes (rdunlap@xxxxxxxxxxxx) >> - fix style issues (rdunlap@xxxxxxxxxxxx) >> - reworded Kconfig entry (rdunlap@xxxxxxxxxxxx) >> v3: - macros to inline (oleg@xxxxxxxxxx) >> - init_task behavior fixed (oleg@xxxxxxxxxx) >> - drop creator entry and extra NULL check (oleg@xxxxxxxxxx) >> - alloc returns -EINVAL on bad sizing (serge.hallyn@xxxxxxxxxxxxx) >> - adds tentative use of "always_unprivileged" as per >> torvalds@xxxxxxxxxxxxxxxxxxxx and luto@xxxxxxx >> v2: - (patch 2 only) >> >> Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx> > > Hi Will, > > as far as I can tell based on changelog I suspect you could have > kept my Acked-by (from v3?). However, I'll wait until your next > submission (as I see there were a few change requests), and do a > final complete new review of that. Thanks, Serge! I just failed at the proper protocol and didn't mean to not include your Acked-by. However, I am changing a fair amount of the internals this time around, so I'll be happy to have another full review. > Thanks for continuing to push on this. Definitely! I've been traveling this week, so it's been a bit slow going, but I hope to have the next rev up early next week if not sooner. Cheers! will -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
