Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp58643ybg; Sun, 31 May 2020 16:45:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfER/ma2F3snIWdOoWOEJ7WF03gk5mypamohuWNPIcTc3oBkBWlNXQjXOjqqUjWmjOlflW X-Received: by 2002:a50:be8f:: with SMTP id b15mr18490148edk.182.1590968721786; Sun, 31 May 2020 16:45:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590968721; cv=none; d=google.com; s=arc-20160816; b=rMGhXYkrUjR6HjC10o1AIvXmgF9wwuXKysS+1YLaMZi7xf8MQloK1IOVxZp2A/IXSs BNratW0wVqy6sLGZQH6j3K2dWMTHxdjslbLJUIgcc5SOXezWdmNEuMwO3B7lGQCSkXdX w9b0ZKrqaVtbvYrk2MsBSMNOCM+I3VF++/4eSH9drNhNd9Gi3b/UMOliTxE0L1DOvci9 vYH936UBRp0GRgA642OMUDCoUymotWmwFZShtEZR62cW/u2DDNWVP0JyRlyuJ1pEis0F m/EJZ+mXM2R6oesF5engWRdHRdarWZ4lMNmeARyeOYlK8ooZG52hCF1MiClbVTRd7o0d W6IQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=eXFt9y6Z2WBjRWaJgmza57dN3Egt/onllf0rZRMlIAQ=; b=wDQF8/UO4GLt/pTPjSLpF/6vwwAVK4b5Zlb4ct7ShShoQZJk2D1BTo4Q9SFKnSIcag P95rA6F6nZC4zJsRs4IjRkvofSkyxyKvBN/arBGE6YAG4sTfZF9DvVQMFRr4OJRdJYGK ZeByAqBQ1JRJXqH62jKrqTdSKyVZGXXgwapEQGUnULWCC4V2wFKs3+Bl8YweI2c8DCTl yP3wc0AR6oQyoWgksvp8jSfhhdCXE+zQ2XD5h7XdWHf+6FNBjR4yRigjk3vabYIjcahD iYxXAp8y3j8FhrE9cgkbFmeYGkbmY8vhIFUCMDmc5V142W0SUNZ4UEIbM0kHXKv0j9g5 +g2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail (test mode) header.i=@codeweavers.com header.s=6377696661 header.b=YQm8mBng; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codeweavers.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c2si10820062edq.502.2020.05.31.16.44.31; Sun, 31 May 2020 16:45:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail (test mode) header.i=@codeweavers.com header.s=6377696661 header.b=YQm8mBng; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codeweavers.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728296AbgEaXeD (ORCPT + 99 others); Sun, 31 May 2020 19:34:03 -0400 Received: from mail.codeweavers.com ([50.203.203.244]:50890 "EHLO mail.codeweavers.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725860AbgEaXeC (ORCPT ); Sun, 31 May 2020 19:34:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codeweavers.com; s=6377696661; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=eXFt9y6Z2WBjRWaJgmza57dN3Egt/onllf0rZRMlIAQ=; b=YQm8mBng3LzrqoRSrXxyXIfgl 72rE/fI48T/f0Gq1j2tApc+bv1Mog1xrrGKNAF/NwpUg6l8ovnJMNljA0l+nirvXA3P0/i5u0WsMW BIlpuvyEDzcqS5CZBHNWGjsH0mRndEK4e5Vt5vcF2OQgXDIM9fazzkT5h+m1+HQX7O11k=; Received: from cpe-107-184-2-226.socal.res.rr.com ([107.184.2.226] helo=[192.168.2.144]) by mail.codeweavers.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jfXSn-0005yd-4N; Sun, 31 May 2020 18:33:59 -0500 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\)) Subject: Re: [PATCH RFC] seccomp: Implement syscall isolation based on memory areas From: Brendan Shanks In-Reply-To: Date: Sun, 31 May 2020 16:33:54 -0700 Cc: Paul Gofman , Gabriel Krisman Bertazi , Linux-MM , LKML , kernel@collabora.com, Thomas Gleixner , Kees Cook , Will Drewry , "H . Peter Anvin" , Zebediah Figura Content-Transfer-Encoding: quoted-printable Message-Id: <8DF2868F-E756-4B33-A7AE-C61F4AB9ABB9@codeweavers.com> References: <85367hkl06.fsf@collabora.com> <079539BF-F301-47BA-AEAD-AED23275FEA1@amacapital.net> <50a9e680-6be1-ff50-5c82-1bf54c7484a9@gmail.com> To: Andy Lutomirski X-Mailer: Apple Mail (2.3445.104.14) X-Spam-Score: -25.8 X-Spam-Report: Spam detection software, running on the system "mail.codeweavers.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: > On May 31, 2020, at 11:57 AM, Andy Lutomirski wrote: > > Using SECCOMP_RET_USER_NOTIF is likely to be considerably more > expensive than my scheme. On a non-PTI system, my approach [...] Content analysis details: (-25.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -20 USER_IN_WHITELIST From: address is in the user's white-list -6.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.7 AWL AWL: Adjusted score from AWL reputation of From: address Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On May 31, 2020, at 11:57 AM, Andy Lutomirski wrote: >=20 > Using SECCOMP_RET_USER_NOTIF is likely to be considerably more > expensive than my scheme. On a non-PTI system, my approach will add a > few tens of ns to each syscall. On a PTI system, it will be worse. > But using any kind of notifier for all syscalls will cause a context > switch to a different user program for each syscall, and that will be > much slower. There=E2=80=99s also no way (at least to my understanding) to modify = register state from SECCOMP_RET_USER_NOTIF, which is how the existing = -staging SIGSYS handler works: = > I think that the implementation may well want to live in seccomp, but > doing this as a seccomp filter isn't quite right. It's not a security > thing -- it's an emulation thing. Seccomp is all about making > inescapable sandboxes, but that's not what you're doing at all, and > the fact that seccomp filters are preserved across execve() sounds > like it'll be annoying for you. Definitely. Regardless of what approach is taken, we don=E2=80=99t want = it to persist across execve. > What if there was a special filter type that ran a BPF program on each > syscall, and the program was allowed to access user memory to make its > decisions, e.g. to look at some list of memory addresses. But this > would explicitly *not* be a security feature -- execve() would remove > the filter, and the filter's outcome would be one of redirecting > execution or allowing the syscall. If the "allow" outcome occurs, > then regular seccomp filters run. Obviously the exact semantics here > would need some care. Although if that=E2=80=99s running a BPF filter on every syscall, = wouldn=E2=80=99t it also incur the ~10% overhead that Paul and Gabriel = have seen with existing seccomp? Brendan Shanks CodeWeavers=