Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp741436ybg; Mon, 1 Jun 2020 13:11:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzYrSwKZSTvRCXBDb7U886pVdKFcJLVWCFic8bPVjzoeFytF4+8sYJ1kUgLGYXWbDYtWp3B X-Received: by 2002:a50:ee04:: with SMTP id g4mr4528118eds.119.1591042297144; Mon, 01 Jun 2020 13:11:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591042297; cv=none; d=google.com; s=arc-20160816; b=kFEdr5Al7MugiHhsv8J6WcZD9Z9RseG1awh7J41tikY5WERUUGjSApXnLKx+mBumq5 nwicUL2yukz7nTKe5OJksCOm8mhfmYIMwCoFoIK9Z8Yq1OUB2qyjXqxDbN6Rc2Cjra8p x/ldcTx2M7hZGEDwRc4hLghLDa/8z91gg/eWsP2fcHdC3r85iocdBG+JcCSsaCwGPYYC ECUYYkqJolouOSgGdUql2HZS+vAvkeL53Vlj3HGTez4p/1gOcMQhOr7+am0vfIL7UiHC V5hc8L6gxU/yh6oxIeQwDBMX5nYKI8t+reDntGjNt3pT754d0t7Yk+/dZ7ysIi5GtuW2 s+UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=F+/+2neDGL2cmCsPYCmTZ0xH01UfLhvyIOnhwmkXook=; b=iDIXkDXTtBFNfOCeYvquP+5VHUNkxFpmd2N1yKj0jDOfFgJhGxLW/V+t8P7oKAO5Mf DHIWCfUH+sER55ePg5+6Yui7ikKJumihLM9MRoZ+/vPQWZbOCHUomH7ViKIznpuhy2bZ G9qMFgJfwk8aNo3rAYbRy8ofoIPu1/12uiBkiZClvcqDLQSDCQ/SVC8E3n+5MEmpf2Cg 9Elx0hyb6ftblEJ927+b2aOFCgGJypOyWr/MiIyy0HKysniPep3l7PpMgKhCbVqxeEpN tS7iv+rfk7Iw+ktjrHWX32wPk1p3J7+uVZcyFvbaRq++FMLvrzlhVwmorDsJQEkxmPfe dmbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oFcZE28a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r8si276791edi.43.2020.06.01.13.11.13; Mon, 01 Jun 2020 13:11:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oFcZE28a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728380AbgFAUI7 (ORCPT + 99 others); Mon, 1 Jun 2020 16:08:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726201AbgFAUI5 (ORCPT ); Mon, 1 Jun 2020 16:08:57 -0400 Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DB4DC061A0E for ; Mon, 1 Jun 2020 13:08:57 -0700 (PDT) Received: by mail-pf1-x444.google.com with SMTP id 64so3958210pfg.8 for ; Mon, 01 Jun 2020 13:08:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=F+/+2neDGL2cmCsPYCmTZ0xH01UfLhvyIOnhwmkXook=; b=oFcZE28aSVeWJm8YRaZ9q024/uVZkhNfOgmkducQGtYNXMy2t618CIyQiWea9M6nWN lr101AC4MjOWfQxsYp/ixWH5Dg5YNd5Jg4ZeGKi8+tzKNs8uvHwCHC9OfB6R1KsOw/9z 9nq7pXknIAJtHYlhR1NJ2y5i6Jnf1LOKvGNwE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=F+/+2neDGL2cmCsPYCmTZ0xH01UfLhvyIOnhwmkXook=; b=iandkQwKcRariw6/wIHjEX3VzMTzJGxxJf8RSrMFdlqM+B6Un0TNGm/grhHphczpZB YqWNRk3jd/24khEgjeAh5evo+Wh+1wfhntrxkhHjQB8qgAZ+B6UNg/c1Na0/+INXQMjh 44oRAecq6V9ALa1nIPCl/K+MkYMtU8uEKD41GfByKcHdEzTyqs9IE5y2cjnqaLlDmLQV 394XLskL6B+fELpbNoWAK2tOW/N1S5IWsO6mh908AM3C8GYQJ55FyDWgxdCU53LLiGsx WuIjaPCv83uOT+mG6EvuW+n1pHnnwl1T4B9uQiKcjV3wkgrz/3GEXqO7qNLG2Pzua7Jr iPZw== X-Gm-Message-State: AOAM531sj2pbZvYT1KMt3z/GOc6142adzQriF4ien+GLIQsP6XYSePSi YK3fLA+i4kJz5QCWbhzvRAGrQw== X-Received: by 2002:a62:1d4c:: with SMTP id d73mr21302296pfd.226.1591042136517; Mon, 01 Jun 2020 13:08:56 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id b1sm270733pjc.33.2020.06.01.13.08.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2020 13:08:55 -0700 (PDT) Date: Mon, 1 Jun 2020 13:08:54 -0700 From: Kees Cook To: Andy Lutomirski Cc: Paul Gofman , Gabriel Krisman Bertazi , Linux-MM , LKML , kernel@collabora.com, Thomas Gleixner , Will Drewry , "H . Peter Anvin" , Zebediah Figura Subject: Re: [PATCH RFC] seccomp: Implement syscall isolation based on memory areas Message-ID: <202006011306.2E31FDED@keescook> References: <85367hkl06.fsf@collabora.com> <079539BF-F301-47BA-AEAD-AED23275FEA1@amacapital.net> <50a9e680-6be1-ff50-5c82-1bf54c7484a9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 31, 2020 at 02:03:48PM -0700, Andy Lutomirski wrote: > On Sun, May 31, 2020 at 11:57 AM Andy Lutomirski wrote: > > > > > > What if there was a special filter type that ran a BPF program on each > > syscall, and the program was allowed to access user memory to make its > > decisions, e.g. to look at some list of memory addresses. But this > > would explicitly *not* be a security feature -- execve() would remove > > the filter, and the filter's outcome would be one of redirecting > > execution or allowing the syscall. If the "allow" outcome occurs, > > then regular seccomp filters run. Obviously the exact semantics here > > would need some care. > > Let me try to flesh this out a little. > > A task could install a syscall emulation filter (maybe using the > seccomp() syscall, maybe using something else). There would be at > most one such filter per process. Upon doing a syscall, the kernel > will first do initial syscall fixups (e.g. SYSENTER/SYSCALL32 magic > argument translation) and would then invoke the filter. The filter is > an eBPF program (sorry Kees) and, as input, it gets access to the FWIW, I agree: something like this needs to use eBPF -- this isn't being designed as a security boundary. It's more like eBPF ptrace. > task's register state and to an indication of which type of syscall > entry this was. This will inherently be rather architecture specific > -- x86 choices could be int80, int80(translated), and syscall64. (We > could expose SYSCALL32 separately, I suppose, but SYSENTER is such a > mess that I'm not sure this would be productive.) The program can > access user memory, and it returns one of two results: allow the > syscall or send SIGSYS. If the program tries to access user memory > and faults, the result is SIGSYS. > > (I would love to do this with cBPF, but I'm not sure how to pull this > off. Accessing user memory is handy for making the lookup flexible > enough to detect Windows vs Linux. It would be *really* nice to > finally settle the unprivileged eBPF subset discussion so that we can > figure out how to make eBPF work here.) And yes, this is the next road-block: finding a way to safely do unprivileged eBPF. -- Kees Cook