Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp2602911ybt; Tue, 16 Jun 2020 10:04:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3jIyvf4UEODrAFRXJHQg5lhJy5WL3OcJ2O7P377nh/acLQOj2bCR/Q9x35RW4V7WA7Hu1 X-Received: by 2002:a17:906:1386:: with SMTP id f6mr3725620ejc.66.1592327054517; Tue, 16 Jun 2020 10:04:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592327054; cv=none; d=google.com; s=arc-20160816; b=syGcVzBPwNzVtL2PD6Is2S3k6jwTnQBwVTIcxJd8ZFvrD2GdJYHKBqRjEg496JB9jZ EubyNGtsL/AezktdFh6Upo/4t1MpiowsCAG8zVW4bVlST3cp3wu+hFcFHmeSj5nSLuvi IbgzH5ItcSXmyJVYxV5tULvNioo4BLydL/qkA9VNX3ORuhR6xWY4bnfHIXCYrPTIJFfc +V78biNp9N7+sNBknIE4BEtX81JJdGyUZ5zZtRMS+9PwlzloyoN53Mwq35GvXv4jAlXW h3vkKIalAbD+XCfvTvtgJ+C8wj+3wk6JbGzef+vMLMfy8QiiU7h+MwM4MaQor+vv1JZw srIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Kq7r/Wx0JwnqfYr59S0nZ/2CugzoH78J9gFT8xPQ8Hk=; b=OnKuQWYxXlsd97VTFm+UuL4JbQCKegfRBLWq0S1fONBeqTiizit/uO+NgdqeSuDO/C 3zchMPaW7ydPJnnF2glvZuz+2aye8MlkdIeDOEQDcaGbkF9azPeNHF34w+Z6qYocPsGi iEi8i/FQz5JFWqEfYiW7q+X9PNeY0f5bLro+Or+zp2PAS/VnTUB0BsY0dhe0UkLPyTvg DAtNRyyOdb7CaDqrO/HeqXpcpJzvzqAIT6fTOphhPAVzg9U6VuDp9UW5MMVqzBko7oJy WBtXDW/sdVLDVuU/IAjXw/cZLL8IMWkwFTWhloW2a/a1LdZOaOJAo0lEvJUcoc69b3Sz ivkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=G2A8LNLg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s21si11068237ejz.9.2020.06.16.10.03.51; Tue, 16 Jun 2020 10:04:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=G2A8LNLg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730703AbgFPRB6 (ORCPT + 99 others); Tue, 16 Jun 2020 13:01:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:54706 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728861AbgFPRB6 (ORCPT ); Tue, 16 Jun 2020 13:01:58 -0400 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 93F6B21582 for ; Tue, 16 Jun 2020 17:01:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592326917; bh=x7sF8JlhivKiZx8ZWX3Ydrzfg2JpqrUkultDOGGYPI8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=G2A8LNLgeumSXYPUkyAkrNVJEPup590mNeKtVSHVhm9jF6slBIraiWh4pDwLT9duY wDENoyVIp+hcZ7GTaMsousph3f+A35cAear0Tn+8WIGX1PoJQ4F3er0pU9ERigJhDz 31QvxEglQ/agYvDJnpEVdRRi9AHleqvoX9ffEpTA= Received: by mail-wr1-f52.google.com with SMTP id l10so21510265wrr.10 for ; Tue, 16 Jun 2020 10:01:57 -0700 (PDT) X-Gm-Message-State: AOAM531SuVf5mUqTWgQSxktrX5ZWaDymYgeulyjLSmX6sE6tvuUD224l pZAfkn0pBUJRE/y9WV8tH6cueYjt3a3i24SylgDYZQ== X-Received: by 2002:a5d:49c5:: with SMTP id t5mr4143840wrs.18.1592326916028; Tue, 16 Jun 2020 10:01:56 -0700 (PDT) MIME-Version: 1.0 References: <20200616074934.1600036-1-keescook@chromium.org> In-Reply-To: <20200616074934.1600036-1-keescook@chromium.org> From: Andy Lutomirski Date: Tue, 16 Jun 2020 10:01:43 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC][PATCH 0/8] seccomp: Implement constant action bitmaps To: Kees Cook Cc: LKML , Christian Brauner , Sargun Dhillon , Tycho Andersen , Jann Horn , "zhujianwei (C)" , Dave Hansen , Matthew Wilcox , Andy Lutomirski , Will Drewry , Shuah Khan , Matt Denton , Chris Palmer , Jeffrey Vander Stoep , Aleksa Sarai , Hehuazhen , X86 ML , Linux Containers , LSM List , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 16, 2020 at 12:49 AM Kees Cook wrote: > > Hi, > > In order to build this mapping at filter attach time, each filter is > executed for every syscall (under each possible architecture), and > checked for any accesses of struct seccomp_data that are not the "arch" > nor "nr" (syscall) members. If only "arch" and "nr" are examined, then > there is a constant mapping for that syscall, and bitmaps can be updated > accordingly. If any accesses happen outside of those struct members, > seccomp must not bypass filter execution for that syscall, since program > state will be used to determine filter action result. > > During syscall action probing, in order to determine whether other members > of struct seccomp_data are being accessed during a filter execution, > the struct is placed across a page boundary with the "arch" and "nr" > members in the first page, and everything else in the second page. The > "page accessed" flag is cleared in the second page's PTE, and the filter > is run. If the "page accessed" flag appears as set after running the > filter, we can determine that the filter looked beyond the "arch" and > "nr" members, and exclude that syscall from the constant action bitmaps. This is... evil. I don't know how I feel about it. It's also potentially quite slow. I don't suppose you could, instead, instrument the BPF code to get at this without TLB hackery? Or maybe try to do some real symbolic execution of the BPF code? --Andy