Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp192324ybh; Tue, 17 Mar 2020 21:07:59 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsm2OoovaI05Wmg3lBtIMqoyofjSug1DRb5BR+Dcoy7ibBR8vu52CWOomvaUJlJkESceIzI X-Received: by 2002:aca:b1d5:: with SMTP id a204mr1714956oif.82.1584504479262; Tue, 17 Mar 2020 21:07:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584504479; cv=none; d=google.com; s=arc-20160816; b=CTYZLEYhSlS5TcsFbeN27ojf/vAcN/tvS/VgYsrC7d/Sgodd4awy5y9Fv4PkA3L/n+ NJKfHvlf+3mEHdE5CbZPPyQINFtXwjuqPLiONq/xMp99xEV4AnRR4JaFaYbWVTY7PuS0 neo7PpzsxW6Ms48vf7CL3auzXxu2PWkgCYz2vhMFRvlkMEdnAm7dMvlCVjYpBBeMs+tV mRlkDvTCRaZ0mfRDrPDXjvVbBhCA6TxJrZLtXVJGEldt/3fJ3gs/xnIpdrWp3wcbptMX 2/r0ZSntFeoz0SCLEDFbf5re5oq/nienZyeHaaNZOVmWd9yTd4TGzQXxaV9appQtEXug X0Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=7NJiSJJsn7uiLh7Cvx0ggtnn/qvPqiLQL9PelNdKr40=; b=0VyFHGm0+w5TO9c5PuoGG5vwuu/snbWx/pLW7+19t+YlWWtPzZ9hvmdHWesZGElZ2B p/tDY2zdU1gl9g+lKAwPpwJyc85frzxV3+e7vMDmOgYsds/Rbu2jHLMvqv93KHkT4B6K q/BlV2hOdsT2oQliGavlkFldhzppG4PkcJDSpV6/bQi4t6yA1DQOggo8yHiYZzVZOXJS 89usc6rDs+4f3KabrYGlXF3rrpB+fPhx8bo8b+YRbkFw2UMO4pCcavuVkP54Yyspy51D xxmMlrqPOu/HbXA8CldpFCvkcRBmBpLToRzvvCMyGPWB96iDj24otildYrj9T9ctN1uu wqyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LLFwCb6m; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a69si2643586oib.90.2020.03.17.21.07.46; Tue, 17 Mar 2020 21:07:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LLFwCb6m; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726586AbgCREGM (ORCPT + 99 others); Wed, 18 Mar 2020 00:06:12 -0400 Received: from mail-pj1-f65.google.com ([209.85.216.65]:51717 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726219AbgCREGM (ORCPT ); Wed, 18 Mar 2020 00:06:12 -0400 Received: by mail-pj1-f65.google.com with SMTP id hg10so730066pjb.1 for ; Tue, 17 Mar 2020 21:06:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=7NJiSJJsn7uiLh7Cvx0ggtnn/qvPqiLQL9PelNdKr40=; b=LLFwCb6m129VqiUIVzImsyROsA0l3qHoEFW2RsL6NyhHboHjx/0rnjK9+XtD0om9DO viX51mgiD4HOHQmcqAn8ePhU2DbWhbUSLPthEUaT9kzr2VRfRup1FfsZHGubolbxvn3/ D83deLS0Ajd8WxTR2voZjpFeSdvcrop2W8CLA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=7NJiSJJsn7uiLh7Cvx0ggtnn/qvPqiLQL9PelNdKr40=; b=E3rUfsKNPkbN2lziWG1pYRTPktAmS/Az+xKRgHmNz1Ut3QcLO/MHuaCrsBCL9wzRN2 TDiGxuw3fPIryANdSYPCpWjL+TpdYdqEbDMntIyyfb0LiBELkNvsJR2EsgUXuIlu5U+g z9NssKWfmd0+tLiTxlJHvRZbiEcLx9ex/galkp3gylbIP6In3zLRjFlArmNgiqAWT3j0 c3/lHZBLm8yjcCmyYJXmGWk6WR1G/3st/feGJ7jxWv3THGoFSSaCVpHF4nkQnYlJQNou dSBmOFXEQ6pniIZB11DjhLBzGMSYGUIg3Y1gts8XRfqfEzRIcukdZCO0MEenuzXEEkQe MpGw== X-Gm-Message-State: ANhLgQ0Br9RJ9f0iD/GDspAEhvav23KqbDxyEbyj4rCqP8m4AJ1/Rl8g cRpPwl/LwSXfd7WSJLo3Do+ewQ== X-Received: by 2002:a17:90a:21ce:: with SMTP id q72mr2543293pjc.160.1584504370417; Tue, 17 Mar 2020 21:06:10 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y9sm3937422pgo.80.2020.03.17.21.06.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2020 21:06:09 -0700 (PDT) Date: Tue, 17 Mar 2020 21:06:08 -0700 From: Kees Cook To: Anton Protopopov Cc: Andy Lutomirski , Will Drewry , open list , Daniel Borkmann , bpf Subject: Re: [PATCH] seccomp: allow BPF_MOD ALU instructions Message-ID: <202003172058.3CB0D95@keescook> References: <20200316163646.2465-1-a.s.protopopov@gmail.com> <202003161423.B51FDA8083@keescook> <202003171314.387F3F187D@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 17, 2020 at 09:11:57PM -0400, Anton Protopopov wrote: > вт, 17 мар. 2020 г. в 16:21, Kees Cook : > > > > On Mon, Mar 16, 2020 at 06:17:34PM -0400, Anton Protopopov wrote: > > > and in every case to walk only a corresponding factor-list. In my case > > > I had a list of ~40 syscall numbers and after this change filter > > > executed in 17.25 instructions on average per syscall vs. 45 > > > instructions for the linear filter (so this removes about 30 > > > instructions penalty per every syscall). To replace "mod #4" I > > > actually used "and #3", but this obviously doesn't work for > > > non-power-of-two divisors. If I would use "mod 5", then it would give > > > me about 15.5 instructions on average. > > > > Gotcha. My real concern is with breaking the ABI here -- using BPF_MOD > > would mean a process couldn't run on older kernels without some tricks > > on the seccomp side. > > Yes, I understood. Could you tell what would you do exactly if there > was a real need in a new instruction? I'd likely need to introduce some kind of way to query (and declare) the "language version" of seccomp filters. New programs would need to declare the language level (EINVAL would mean the program must support the original "v1", ENOTSUPP would mean "kernel doesn't support that level"), and the program would have to build a filter based on the supported language features. The kernel would assume all undeclared seccomp users were "v1" and would need to reject BPF_MOD. All programs declaring "v2" would be allowed to use BPF_MOD. It's really a lot for something that isn't really needed. :) > > Since the syscall list is static for a given filter, why not arrange it > > as a binary search? That should get even better average instructions > > as O(log n) instead of O(n). > > Right, thanks! This saves about 4 more instructions for my case and > works 1-2 ns faster. Excellent! > > Though frankly I've also been considering an ABI version bump for adding > > a syscall bitmap feature: the vast majority of seccomp filters are just > > binary yes/no across a list of syscalls. Only the special cases need > > special handling (arg inspection, fd notification, etc). Then these > > kinds of filters could run as O(1). *This* feature wouldn't need my crazy language version idea, but it _would_ still need to be detectable, much like how RET_USER_NOTIF was added. -- Kees Cook