Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752612AbbH0BnR (ORCPT <rfc822;w@1wt.eu>);
	Wed, 26 Aug 2015 21:43:17 -0400
Received: from mail-wi0-f180.google.com ([209.85.212.180]:38058 "EHLO
	mail-wi0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751413AbbH0BnP (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 26 Aug 2015 21:43:15 -0400
MIME-Version: 1.0
Reply-To: mtk.manpages@gmail.com
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Date: Wed, 26 Aug 2015 18:42:54 -0700
Message-ID: <CAKgNAkj8Yboqeq4nB+DbM2K76w3eiwnaUVCoSRzv=r-YGHy5uQ@mail.gmail.com>
Subject: Seccomp questions for updates to seccomp(2) man page
To: Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>
Cc: lkml <linux-kernel@vger.kernel.org>, linux-man <linux-man@vger.kernel.org>,
        Alexei Starovoitov <ast@plumgrid.com>,
        Daniel Borkmann <daniel@iogearbox.net>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2011
Lines: 49

Hello Kees, Will,

In recent times I've been asked a couple of questions about seccomp(),
and it seems like it would be worthwhile to include these topics in
the seccomp(2) man page. Would you be able to help out with some
answers?

=== Use of the instruction pointer in seccomp filters ===

The seccomp_data describing the system call includes the process's
instruction pointer value. What use can be made of this information?

My best guess is that you can use this information in conjunction with
/proc/PID/maps to introspect the process layout and thus construct
filters that conditionally operate based on which DSO is performing a
system call. Is that a reasonable use case? Are there others?

=== Chained seccomp filters and SECCOMP_RET_KILL ===

The man page describes the behavior when multiple filter are installed

       If  multiple  filters  exist, they are all executed, in reverse
       order of their addition to the  filter  tree  (i.e.,  the  most
       recently installed filter is executed first).  The return value
       for the evaluation of a given system  call  is  the  first-seen
       SECCOMP_RET_ACTION  value of highest precedence (along with its
       accompanying data) returned by execution of all of the filters.

The question is: suppose one of the early filters returns
SECCOMP_RET_KILL (which is the highest priority action), what is the
purpose of executing the remaining filters. My best guess is that this
about preventing the user from discovering which filter rule causes
the sandboxed program to fail. Is this correct, or is there another
reason?

Thanks,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/