[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Feb 2012 18:09:33 +0100
From: Oleg Nesterov <oleg@...hat.com>
To: Will Drewry <wad@...omium.org>
Cc: linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
linux-doc@...r.kernel.org, kernel-hardening@...ts.openwall.com,
netdev@...r.kernel.org, x86@...nel.org, arnd@...db.de,
davem@...emloft.net, hpa@...or.com, mingo@...hat.com,
peterz@...radead.org, rdunlap@...otime.net, mcgrathr@...omium.org,
tglx@...utronix.de, luto@....edu, eparis@...hat.com,
serge.hallyn@...onical.com, djm@...drot.org, scarybeasts@...il.com,
indan@....nu, pmoore@...hat.com, akpm@...ux-foundation.org,
corbet@....net, eric.dumazet@...il.com, markus@...omium.org,
coreyb@...ux.vnet.ibm.com, keescook@...omium.org,
Denys Vlasenko <dvlasenk@...hat.com>
Subject: Re: [PATCH v11 10/12] ptrace,seccomp: Add PTRACE_SECCOMP support
On 02/29, Will Drewry wrote:
> On Wed, Feb 29, 2012 at 10:14 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> > On 02/28, Will Drewry wrote:
> >>
> >> On Tue, Feb 28, 2012 at 11:04 AM, Will Drewry <wad@...omium.org> wrote:
> >> > On Tue, Feb 28, 2012 at 10:43 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> >> >>
> >> >> Great. In this case this patch becomes really trivial. Just 2 defines
> >> >> in ptrace.h and the unconditional ptrace_event() under SECCOMP_RET_TRACE.
> >>
> >> hrm the only snag is that I can't then rely on TIF_SYSCALL_TRACE to
> >> ensure seccomp is in the slow-path. Right now, on x86, seccomp is
> >> slow-path, but it doesn't have to be to have the syscall and args.
> >> However, for ptrace to behavior properly, I believed it did need to be
> >> in the slow path. If SECCOMP_RET_TRACE doesn't rely on
> >> PTRACE_SYSCALL, then it introduces a need for seccomp to always be in
> >> the slow path or to flag (somehow) when it needs slow path.
> >
> > My understanding of this magic is very limited, and I'm afraid
> > I misunderstood... So please correct me.
> >
> > But what is the problem? system_call checks _TIF_WORK_SYSCALL_ENTRY
> > which includes _TIF_SECCOMP | _TIF_SYSCALL_TRACE, and jumps to
> > tracesys which does SAVE_REST.
> >
> > Anyway. secure_computing() is called by syscall_trace_enter() which
> > also calls tracehook_report_syscall_entry(). If SECCOMP_RET_TRACE
> > can't do ptrace_event() then why tracehook_report_syscall_entry() is
> > fine?
>
> Early on in this patch series, I was urged away from regviews (for
> many reasons), one of them was so that seccomp could, at some point,
> be fast-path'd like audit is for x86. (It may be on arm already, I'd
> need to check.) So I was hoping that I could avoid adding a slow-path
> dependency to the seccomp code.
Thanks, now I see what you meant.
> By adding a requirement for the
> slow-path in the form of ptrace_event(), the difficulty for making
> seccomp fast-path friendly is increased.
Yes. I do not know if this is really bad. I mean, I do not know how
much do we want the fast-path'd seccomp.
> (It could be possible to add
> a return code, e.g., return NEEDS_SLOW_PATH, which tells the fast path
> code to restart the handling at syscall_trace_enter, so maybe I am
> making a big deal out of nothing.)
Probably. Or SECCOMP_RET_TRACE can set TIF_NOTIFY_RESUME.
(Btw there is another alternative although imho PTRACE_EVENT_SECCOMP
looks better. SECCOMP_RET_TRACE can simply set TIF_SYSCALL_TRACE and
return, syscall_trace_enter() will report the syscall. If we make it
fast-path'ed, then TIF_NOTIFY_RESUME should trigger the slow path)
> I was hoping to avoid having TIF_SECCOMP imply the slow-path, but if
> that is the only sane way to integrate, then I can leave making it
> fast-path friendly as a future exercise.
>
> If I'm over-optimizing,
may be ;) but it is very possible I underestimate the problem.
I'd like to know what Roland thinks.
Oleg.
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
