Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1368014imm; Fri, 28 Sep 2018 17:27:49 -0700 (PDT) X-Google-Smtp-Source: ACcGV63iwr70bAKV00VmiUQK9NVnM+9pDjM6PFE/hTsgTxKWSsBQqJpWkAxeH+kXhn0jyU7txDQ1 X-Received: by 2002:a17:902:3041:: with SMTP id u59-v6mr886863plb.99.1538180869759; Fri, 28 Sep 2018 17:27:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538180869; cv=none; d=google.com; s=arc-20160816; b=Dcetx1S85aIfJtEVT9WwkTGfrHQdOdQxhtG6VPDNkjVEUhooRgMM2MNANZ9FBZMoR5 B8X0fwoKIfBi8OkW3oRNI38QSDRZ+/X5Ut1jvbFPQo4s4PD7xPOhH4LsPOYl/Cl7bfsp bLoHNeOk8DRxB6/4G6z5wdEST1k9Lyvri6yK0HPsHvL+N7fjVSp6036EkV/f9/nrwd8F wlPK58nhtaReHACEOBdGkLnTuwGwi+zmczM/WkIeZrWSG9BviCuJqGclkU0WD/EnQIjy 9gzbUKhrnFjZWFBMLy8FuMojAC5OuTWJsqVO+8rSKEAqBX+V08UPiGMroYj4gdTiqM4q 5txA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=EEME68AIZq5kYcTVIUk7Cts1JUtaXK85ZdL6XbgT0KU=; b=H38StZ8XNbsDBk/E4zNsk5MCRQ5AAJ7V4g/59uPjofFZSTVC0c8uvOeRAdIlcT8iAq 3Kk1FiOT39f5R9BtGRVFd27GN6MC1FF0EZvkWtgxIFJMPfk7FZpZTLmZSRRP50/oX/wM iKahnkIfujWhUeCE5p6cxQWRz4/I0iTuiQ45trQcceGqm6Ls86ai0ey+dYFm4zr0Oz/q XTyF7GhSTJOaY0FKIM+MEkE/knLFP1LoQX0ZBMim30+uqKkCJLZ9kpNX/NtlxcCzz8ny lAxKSQYqOySPnWRaNbAfwrR+sjBx+u5oRhHXtD+KZCGkKvyg0S5HJli4WoBT4zyZH9hR undQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g16-v6si6237014pgb.117.2018.09.28.17.27.34; Fri, 28 Sep 2018 17:27:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727321AbeI2Gxn (ORCPT + 99 others); Sat, 29 Sep 2018 02:53:43 -0400 Received: from mx2.suse.de ([195.135.220.15]:56488 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726287AbeI2Gxn (ORCPT ); Sat, 29 Sep 2018 02:53:43 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 2B05CAE14; Sat, 29 Sep 2018 00:27:27 +0000 (UTC) Date: Sat, 29 Sep 2018 10:28:55 +1000 From: Aleksa Sarai To: Tycho Andersen Cc: Kees Cook , Jann Horn , linux-api@vger.kernel.org, containers@lists.linux-foundation.org, Akihiro Suda , Oleg Nesterov , linux-kernel@vger.kernel.org, "Eric W . Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , Andy Lutomirski Subject: Re: [PATCH v7 1/6] seccomp: add a return code to trap to userspace Message-ID: <20180929002855.bcx5u2kabtqjtcnt@mikami> References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-2-tycho@tycho.ws> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="q7cghsiykh2acose" Content-Disposition: inline In-Reply-To: <20180927151119.9989-2-tycho@tycho.ws> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --q7cghsiykh2acose Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-09-27, Tycho Andersen wrote: > This patch introduces a means for syscalls matched in seccomp to notify > some other task that a particular filter has been triggered. >=20 > The motivation for this is primarily for use with containers. For example, > if a container does an init_module(), we obviously don't want to load this > untrusted code, which may be compiled for the wrong version of the kernel > anyway. Instead, we could parse the module image, figure out which module > the container is trying to load and load it on the host. >=20 > As another example, containers cannot mknod(), since this checks > capable(CAP_SYS_ADMIN). However, harmless devices like /dev/null or > /dev/zero should be ok for containers to mknod, but we'd like to avoid ha= rd > coding some whitelist in the kernel. Another example is mount(), which has > many security restrictions for good reason, but configuration or runtime > knowledge could potentially be used to relax these restrictions. Minor thing, but this is no longer _entirely_ true (now it checks ns_capable(sb->s_user_ns)). I think the kernel module auto-loading is a much more interesting example, but since this is just a commit message feel free to ignore my pedantry. :P > Signed-off-by: Tycho Andersen > CC: Kees Cook > CC: Andy Lutomirski > CC: Oleg Nesterov > CC: Eric W. Biederman > CC: "Serge E. Hallyn" > CC: Christian Brauner > CC: Tyler Hicks > CC: Akihiro Suda Would you mind adding me to the Cc: list for the next round of patches? It's looking pretty neat! Thanks! --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --q7cghsiykh2acose Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAluux0MACgkQnhiqJn3b jbShfg//elDogyxGNl2K0aVd1a01yiY3io1AMaYdFo3t1iFXaQ+chVYkP8KnhC1F Ce3a0GnCn1x7y8yCWipt+QcaI5vuby8x4xVMJbvQCO2kYp89LAgjE6se2ZlXph2C HW2UuXLgntTJJpphn3pOhzOQe8wP87JGLLYEIZ0AlvHxycWlIT9fk4YWT7LDT+ke egGT8dMRyIWgu3mjOBqAhmi38tjjaleyT4t0BqUZU5TopNBpkciedyyQsfrKqHeS T0mP11fnKDqu2ikwHvz93JgDXDbwneooRkHEyHu4+lXK1XQoZhYpDhN5w4+DUsnB SrUg5+JEoz0jUJ5TgGko7Y6J8wHru2j7Vr4hZyMhxgsCqceBgdykXq0ZjMXwo2oM vCbzyJz3VY0SDTY49c5iNFCqrJ9FKA17GqTZ2mVAtVCGqKoluw1UAmuzR8EYW4Mj H9tsxCepS+FKVlhTzCoGhuPUSBBgrY6u30vMuirR4A1Eo3M8/RvXjWERK0r7n2vl v5pvOP0WoxAQvgQ256xzduuqERU+CgX2rLcEgLRsCSltCJlGdkLlwQWz0iKEaX9i Iqb+RUkM/qJLenIR28bpF1haDwnfZ2JEouRFD4I8VRy81fKLASpK8YfE6aEaLHfM VSDPxoHYzQeN7u7WZX5WBPIkFUvoBhI2k2dxHLeQ+TQQbgFdgEk= =GIx7 -----END PGP SIGNATURE----- --q7cghsiykh2acose--