Received: by 10.213.65.68 with SMTP id h4csp1865760imn;
        Sun, 1 Apr 2018 17:41:17 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/JyKF7XWFBPhLqAhKIMXXAiR5sfNeEMYXaksCZaCcZUuxdiAcK8no2PD4gqiA4vNa9sZ3S
X-Received: by 10.101.93.65 with SMTP id e1mr1497188pgt.172.1522629677397;
        Sun, 01 Apr 2018 17:41:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522629677; cv=none;
        d=google.com; s=arc-20160816;
        b=nrcsA+8JRITEgwT4mmimAhkY0jORsVym8rEBE708KRQDes4zaK52xWQjiPZ6LtNHDs
         RnhUxQICFhuHlwPQblXoJVtUyJdP6BH1EENwl7qthvNK6tz5letV+ZKzQzwtmINCDIvx
         tY0R7AzNaarhdWRG3ZLxniziay80F+5eIszlczTmrAf/u7Do3beJRTiN1Fj4Tg9Sph0E
         SVYaXJYuf5NEC9MTCWWVk903c7FxIMcLGGj9bqC5ycfRbkVkTrV8vc5Ueo9dSTAOKArq
         u5T87zhK4saZ0str/94nRSxl5Nx7pjUuWUFNd9re8IxZ5+S3sZtrHMfKOKrHNPXyh+WC
         b3Cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=zofskNTvG4T5oaSe6MVCfDuisTV5zPgEP+EmdC3ApCA=;
        b=cO3ShZoBX3Di3hV118vXw0poPEiATrvfA7GG5enfN68mie31PJ8dmuSDf8d4d9o59P
         QIveVf6rE0KYf/LCcQ2XiUzKYG6xKrM8l82pFKdSjgCLjXcRZmQRdCszUsm2slI8RzKx
         awjzVdwFw3D0LzVSuLqVvgjLglByEd1R0TF7tLq7klPOp9BjJ2hasDKcrixgkyD1krG4
         QHTSEYIc8R/2YeqVsf3giBb7ywxggpxVngyQUcCe8NdXtcy1Qrjb2B1qvkd+GWl+8Dk+
         ZgRS2aVIW/m2CUJwOZiBSBzgaIq1apPQzOnivtvim6mCCwZkpJVZNY4F0hMmWhaT/koN
         s7nQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=b5AfCCOZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v9-v6si9517339plo.681.2018.04.01.17.41.02;
        Sun, 01 Apr 2018 17:41:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=b5AfCCOZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753987AbeDBAjy (ORCPT <rfc822;chenl.lei@gmail.com> + 99 others);
        Sun, 1 Apr 2018 20:39:54 -0400
Received: from mail-io0-f194.google.com ([209.85.223.194]:36526 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751874AbeDBAjv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 1 Apr 2018 20:39:51 -0400
Received: by mail-io0-f194.google.com with SMTP id o4so16303859iod.3
        for <linux-kernel@vger.kernel.org>; Sun, 01 Apr 2018 17:39:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to
         :user-agent;
        bh=zofskNTvG4T5oaSe6MVCfDuisTV5zPgEP+EmdC3ApCA=;
        b=b5AfCCOZwKRqMZloh1D0r71nXh22mqqu9HkR91vzRn8RbaB7OKOHSJ+nkG7UnP+uwc
         +jowc13JAMmh6HCuJJnr1D/fL4xlBy+YwS9jPJx76KnBkGnPvib1jMkt3HuXEiK5R2fh
         wZ1xBiJEWykX2LKDFh8FYjj2f7UsG2EgbfgaMvqEPbhJ/gKwFrhjlbVyDkaFLgXY2lmN
         GeQlGaC6hJHrODGxKGUy/ylKMBb7sL0kYRJXRo/X5J2abt5Om5ee/w3XGK4pXUZ0ZOxj
         fE5I0hETGh1e/Xc471Wdfh0X1ashOh4wtCOSwLHCR1ERaK9wFKmFQuknYWJx7YmhpJ0j
         dOSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=zofskNTvG4T5oaSe6MVCfDuisTV5zPgEP+EmdC3ApCA=;
        b=cuxtgcQ2S+CHbGwNH1zPXUDOBpndIED5zxI8yh5jWzW2qQdRqyi1gZe+6LPPoQsQoq
         uLWrkt+Srf8HhB8uob4o+om/G95LXx1j0lvmgOLNFq1D6AgcgMUpvnpsE/jD6atPncUv
         rBK48bwWJVOjZ3K7PdAJAI+42bU2w+k4xxB4lmVItcebm+Pfo+DH7+ityCySIrvtQUrs
         CidMu0t3gxNiBaFxNs1SYHpYHMzzjZxig82ZnUxqbJrPdvWWzIyE7U6eZqMdJlFVH5iu
         8T0yFGKyd5pNmXDHsjxumY95kEN4bHJQd9YDIBeRvvFcKV40iUDb94uRioucXPT1hyST
         J4cw==
X-Gm-Message-State: AElRT7FR1sWqXAwaR/pGdRdTQXYzonDaYkNKp+deJmDADJQI5Mkw5okf
        DtUmISgDYab+c7WCLXBTDikUaA==
X-Received: by 10.107.200.203 with SMTP id y194mr6401472iof.182.1522629590911;
        Sun, 01 Apr 2018 17:39:50 -0700 (PDT)
Received: from cisco (71-218-142-207.hlrn.qwest.net. [71.218.142.207])
        by smtp.gmail.com with ESMTPSA id j141sm7516688ioj.16.2018.04.01.17.39.48
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 01 Apr 2018 17:39:49 -0700 (PDT)
Date:   Sun, 1 Apr 2018 18:39:47 -0600
From:   Tycho Andersen <tycho@tycho.ws>
To:     =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>
Cc:     Andy Lutomirski <luto@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        David Drysdale <drysdale@google.com>,
        "David S . Miller" <davem@davemloft.net>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        James Morris <james.l.morris@oracle.com>,
        Jann Horn <jann@thejh.net>, Jonathan Corbet <corbet@lwn.net>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Paul Moore <paul@paul-moore.com>,
        Sargun Dhillon <sargun@sargun.me>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Shuah Khan <shuah@kernel.org>, Tejun Heo <tj@kernel.org>,
        Thomas Graf <tgraf@suug.ch>, Will Drewry <wad@chromium.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged
 sandboxing
Message-ID: <20180402003947.GE5586@cisco>
References: <2e06621c-08e9-dc12-9b6e-9c09d5d8f458@digikod.net>
 <CALCETrWnJ7WkkfiymyahQd7YqO0KXP4mG1pRMq7fp8LG8Bwtcw@mail.gmail.com>
 <a70b41ee-78cb-52cc-152c-ac5e43b7e45c@digikod.net>
 <CALCETrUQYp0ta4tLgUWJ79pZVwp3WRY7cp-XaPcn1WyTc=wZyg@mail.gmail.com>
 <20180306224636.wf5z3kujtc7r5qyh@cisco>
 <7082be04-d6af-b853-4bb7-f331836662e2@digikod.net>
 <CALCETrXT8JUXVwDNKGVRG7=aenthDRePD+T+YiDY6cceaazDeA@mail.gmail.com>
 <cd811155-9e0d-283a-9291-4adfcec848e6@digikod.net>
 <CALCETrUwkV4_65y7UjSgrq5WHOcZZ=+znKArehvhb1xEGG9HXw@mail.gmail.com>
 <0f355079-7ee2-c06a-2d47-a7a2fa6d98fe@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <0f355079-7ee2-c06a-2d47-a7a2fa6d98fe@digikod.net>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Micka?l,

On Mon, Apr 02, 2018 at 12:04:36AM +0200, Micka?l Sala?n wrote:
> >> vDSO is a code mapped for all processes. As you said, these processes
> >> may use it or not. What I was thinking about is to use the same concept,
> >> i.e. map a "shim" code into each processes pertaining to a particular
> >> hierarchy (the same way seccomp filters are inherited across processes).
> >> With a seccomp filter matching some syscall (e.g. mount, open), it is
> >> possible to jump back to the shim code thanks to SECCOMP_RET_TRAP. This
> >> shim code should then be able to emulate/patch what is needed, even
> >> faking a file opening by receiving a file descriptor through a UNIX
> >> socket. As did the Chrome sandbox, the seccomp filter may look at the
> >> calling address to allow the shim code to call syscalls without being
> >> catched, if needed. However, relying on SIGSYS may not fit with
> >> arbitrary code. Using a new SECCOMP_RET_EMULATE (?) may be used to jump
> >> to a specific process address, to emulate the syscall in an easier way
> >> than only relying on a {c,e}BPF program.
> >>
> > 
> > This could indeed be done, but I think that Tycho's approach is much
> > cleaner and probably faster.
> > 
> 
> I like it too but how does this handle file descriptors?

I think it could be done fairly simply, the most complicated part is
probably designing an API that doesn't suck. But the basic idea would
be:

struct seccomp_notif_resp {
    __u64 id;
    __s32 error;
    __s64 val;
    __s32 fd;
};

if the handler responds with fd >= 0, we grab the tracer's fd,
duplicate it, and install it somewhere in the tracee's fd table. Since
things like socket() will want to return the fd number as its
installed and the handler doesn't know that, we'll probably want some
way to indicate that the kernel should return this value. We could
either mandate that if fd >= 0, that's the value that will be returned
from the syscall, or add another flag that says "no, install the fd,
but really return what's in val instead).

I guess we can't mandate that we return fd, because e.g. netlink
sockets can sometimes return fds as part of the netlink messages, and
not as the return value from the syscall.

Tycho