Re: [PATCH 3/7] seccomp_filter: Enable ftrace-based system callfiltering

From: Serge E. Hallyn
Date: Thu Apr 28 2011 - 14:51:36 EST


Quoting Will Drewry (wad@xxxxxxxxxxxx):
> On Thu, Apr 28, 2011 at 12:39 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> > Quoting Steven Rostedt (rostedt@xxxxxxxxxxx):
> >> On Thu, 2011-04-28 at 11:55 -0500, Serge E. Hallyn wrote:
> >> > I actually thought you were going to be more extreme about the seccomp
> >> > state than you are:  I thought you were going to tie a filter list to
> >> > seccomp state.  So adding or removing a filter would have required
> >> > duping the seccomp state, duping all the filters, making the change in
> >> > the copy, and then swapping the new state into place.  Slow in the
> >> > hopefully rare update case, but safe.
>
> Hrm, I think I'm confused now! This is exactly what I *thought* the
> code was doing.
>
> At present, seccomp_state can be shared across predecessor/ancestor
> relationships using refcounting in fork.c (get/put). However, the
> only way to change a given seccomp_state or its filters is either
> through the one-bit on_next_syscall change or through
> prctl_set_seccomp. In prctl_set_seccomp, it does:
> state = (orig_state ? seccomp_state_dup(orig_state) :
> seccomp_state_new());
> operates on the new state and then rcu_assign_pointer()s it to the
> task. I didn't intentionally provide any way to drop filters from an
> existing state object nor change the filtered syscalls on an in-use
> object. That _dup call should hit the impromperly rcu_locked
> copy_all_filters returning duplicates of the original filters by
> reparsing the filter_string.
>
> Did I accidentally provide a means to mutate a state object or filter
> list without dup()ing? :/

Ah - probably not, I probably misread your intent for the helpers.

So in that case you don't need to rcu-protect the filters at all
when copying. You just need to inc the seccomp struct refcount
under rcu lock, to make sure it all stays put. Drop rcu lock, take
your time copying, then when you dec the refcount the whole seccomp
struct either gets freed or not.

Excellent.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/