Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering usingBPF

From: Indan Zupancic
Date: Tue Jan 17 2012 - 23:47:15 EST

Next message: David Ahern: "Re: [PATCH -tip v4 1/5] perf-script: unify the expressions indicate"unknown""
Previous message: realmz paranoid: "Re: [PATCH] socket-can: bit-timing calculation"
In reply to: Will Drewry: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Oleg Nesterov: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering usingBPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, January 17, 2012 21:42, Will Drewry wrote:
> On Tue, Jan 17, 2012 at 2:34 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> If this turns out to be expensive, it might be possible to break it up
>> and load the arguments on demand (and cache them); i.e. have
>> load_pointer() or similar notice when it is about to access something
>> other than bpf_data.syscall_nr.
>
> Makes perfect sense! In theory (as a few other people pointed this
> out off list), it is entirely possible to never populate any data for
> load_pointer except an optional cache. Just provide a custom
> load_pointer that knows to take the offset return the syscall nr or
> the args or some slice of the returned data.

That sounds like a very good idea. I don't think the cache is needed
because an argument is usually only checked once.

> This is even easier if the struct looks like:
> struct {
> int nr;
> union {
> uint32_t args32[6];
> uint64_t args64[6];
> }
> };
>
> since you can just use the offset without doing any endian-based
> splitting.

But then the filter has to know if it's 32 or 64-bit, and still know about
endianness, or am I missing something? It seems better to provide the upper
32 bits seperately so code that cares about it can check it.

> Another suggestion (thanks roland!) was to add
> int syscall_arch;
> to the struct populated with the AUDIT_ARCH_* defines. This would
> help the case Indan was worried about -- portable filter programs.

I never heard of AUDIT_ARCH* before, so I have no idea how it could be
used. Do you have a documentation pointer?

A quick scan through the kernel code seems it tells what arch the system is.

Such flag could be used to use the syscall number depending on what arch it
is, but I'm not sure that would make things cleaner or easier for anyone.
Still, it won't hurt to have it and at least gives that option.

> It looks like there'd be some cross-arch plumbing to make the
> AUDIT_ARCH_ data available, but not too bad.
>
> Seem sane? I'm headed down this path now and I think it'll work out
> assuming there aren't major objections to the syscall_arch piece.

I'm not sure about the union, and no objections to syscall_arch if it just
tells what arch it is.

Greetings,

Indan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Ahern: "Re: [PATCH -tip v4 1/5] perf-script: unify the expressions indicate"unknown""
Previous message: realmz paranoid: "Re: [PATCH] socket-can: bit-timing calculation"
In reply to: Will Drewry: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF"
Next in thread: Oleg Nesterov: "Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering usingBPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]