Received: by 10.223.185.116 with SMTP id b49csp1120345wrg; Wed, 14 Feb 2018 11:59:12 -0800 (PST) X-Google-Smtp-Source: AH8x225OBUQ5lkA4ELHs/YaxzhS/DHv7iqcQ1dZCLFlJhj3LwYLkVWKaJg1B2Gh2E4Nvphl9wABI X-Received: by 2002:a17:902:8342:: with SMTP id z2-v6mr142181pln.163.1518638352265; Wed, 14 Feb 2018 11:59:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518638352; cv=none; d=google.com; s=arc-20160816; b=IWFvGM/3RvzBgl0mQhib+V4NYzeOpeA9a2YtmZjsp9G9GARcRslXLnCIhEmtiULest CvyINWgDq4bnqZO+ro4ucDq0lQmZoAr5aPxcZxxxENPtlKgLJBVQrcAJ8wRVdejGnwhc OYGckHQZNCK0QJOns1gFB4JzRXVS6IS3CFZN2vSvbYx4FOuBuB4CePTedPOrgQien1ej 01c6XtuK0th1aIavfbs80d85ppYpZXkOpTYSI1roA4WCsoJK0r8II4v1Jhx323ibeSc0 AdQl5GLQFf9P8xh9Dydz0MihpyuV6ZPlzBiR+UA5nVSE0IkdpqU0I2vYiAnvjeTuHRjq Dwlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=mlwcrWr6t380n/CHyEJOap+N6xpjd/TGF93Xo9h8k74=; b=CpNHhvFAz7Nbwb6XQs6tqFTwoheIrCCmqYFijTwJGWhnRzadjp1BfPZw+LNZJtCt5c 1fygB+x76BENu+6s1lZQN5GMpnEjUmVD447wLBygG8XZNtwyTpTsc5kUiT7Gatb7/wlC 7XhcobpAGpK91b0rGYHp56DIXdQcot8caa0Cix9T5PNTZasU0gaS5TOXbdeCSVOd6tX7 JM/5FwVk1+81Lkn/Re6amvp+bOlex/GoyL2IJdqIeDXSU3kJsVT5YRfF//PxNZqqLgkY bQYOV4A4B8aOeTqEVUslBVJlfAAYKnFply+GACDHX8AVWZaG33J1+r+GBS67h/f0Vtrp Refw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=cVaZXYmP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k78si1564361pfk.95.2018.02.14.11.58.57; Wed, 14 Feb 2018 11:59:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=cVaZXYmP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031473AbeBNPeD (ORCPT + 99 others); Wed, 14 Feb 2018 10:34:03 -0500 Received: from mail-it0-f67.google.com ([209.85.214.67]:37846 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031333AbeBNPeB (ORCPT ); Wed, 14 Feb 2018 10:34:01 -0500 Received: by mail-it0-f67.google.com with SMTP id d10so9504371itj.2 for ; Wed, 14 Feb 2018 07:34:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=mlwcrWr6t380n/CHyEJOap+N6xpjd/TGF93Xo9h8k74=; b=cVaZXYmPa8/59KhOmsaGXukgSAlSTqrMLsnzlcZilsw0EZ+r4ggHRsDhlmrLpVRN16 YWxh028Iw64dCuO7cltsMJM/ujW/z+m+qACvuIm7fq13/Z/HAJMKOBJ8PITef8AhsTIO qDx8ZelJN2kp8tWVoQO7PPDPVVup0LabU+m01oq2Z/4GVf7882IYVTlhGadSAi66N4Lo 8JpBND31zSBQJ6z+JQYEVBGR1hYowVMtIHRwpbwBmMxuUETsdHDTa+Diw1XOU7/na54L s+4KP8ABO3SHFcnX4YJqh+uwAH+kKz7+UN+UF3jIlA2fjPv/dTDgf5wI3gsPQ+TrB/B6 ZtIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=mlwcrWr6t380n/CHyEJOap+N6xpjd/TGF93Xo9h8k74=; b=ErvK906PkqO103cch3rm7zZAZnL6mFYT9ILPlH0QaLt7nqvl1b7foUlJApC4VSqFpD l5o0tgf30gJSuT7g15jGgZAKdY/F9SQTM4eDj/kKCczujO/NKFqjbEho//g5nXI3xy7o vrU0A4DwgOKmLQGqmsDIHVxtxzGHrMgJnBM/d6TbBhppUrNJt2Cp89cdbScfSEjMADQ5 g+8Q19+ABoy4KwyVM43blUUNpiSTLyZIBcaSyQ74RADrLYROo9TlvRFlF6Y4knfs1z8q m6waNhQfs5gBq/VJ3REYkflK3ZXrL36fwvEesvpkOAmvSBc7covHHBbejjM8VJlBkwBB oinQ== X-Gm-Message-State: APf1xPDt1XFWIS6oMDjQKGCec48+yNaA76SfdLESQYAyoR2UbI5wjMM+ kaOC0L24MOBtuxLl0catJDuLTw== X-Received: by 10.36.137.67 with SMTP id s64mr6113511itd.90.1518622440843; Wed, 14 Feb 2018 07:34:00 -0800 (PST) Received: from smitten ([8.24.24.129]) by smtp.gmail.com with ESMTPSA id b185sm13582623itb.20.2018.02.14.07.33.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 14 Feb 2018 07:34:00 -0800 (PST) Date: Wed, 14 Feb 2018 08:33:59 -0700 From: Tycho Andersen To: Kees Cook Cc: LKML , Linux Containers , Andy Lutomirski , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda Subject: Re: [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Message-ID: <20180214153359.6wj6wclsqvgj4jlt@smitten> References: <20180204104946.25559-1-tycho@tycho.ws> <20180204104946.25559-4-tycho@tycho.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 13, 2018 at 01:32:26PM -0800, Kees Cook wrote: > On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: > > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace() > > version which can acquire filters is useful. There are at least two reasons > > this is preferable, even though it uses ptrace: > > > > 1. You can control tasks that aren't cooperating with you > > 2. You can control tasks whose filters block sendmsg() and socket(); if the > > task installs a filter which blocks these calls, there's no way with > > SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task. > > I got worried for a second that this would get us into a many-to-many > state, but I see init_listener enforces a single listener per filter. > Whew. Seems legit. :) Yes, although if you sendmsg() the listener fd, you could still get into that state, so it's still maybe a concern? Tycho