Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp117777ybt; Thu, 25 Jun 2020 16:56:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxdCITcYJlof7er8VDk80sO78Sq/GC3q1gDxiVA9wXE57yg+RAQ5GOOYmZOrULOVLkitNDY X-Received: by 2002:a50:f149:: with SMTP id z9mr717437edl.167.1593129387288; Thu, 25 Jun 2020 16:56:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593129387; cv=none; d=google.com; s=arc-20160816; b=gtsll6UJq8EJamvaJjDk0tP6N6sOm6ofpeZbnUN6bdaUE+fZWDFC9O7Vesm1VXrQoa Za7vA19njRRCOHR0xLhJpi5xVzggLOreBWRaIMIGPVUGiSHKHk1iJT6IZIemw0y7rh2T j3wizrGvuB3CKfXX9yg1vulgRWvVVS1nkP+imRg/BJ3s1z77/Vf/CQzvB75k1iTcpzTI UpwO1HeIIEhQxXhzGwy7wt7PljD9GkESRPpHD5C3OwMDf+clLuunB5DqzLa5smjbR7PV Ze7aB4iP5/62chLczDOh5a7/daqTIXNqua9fFnYXWwf25xs5t25gcfW2E9cdLKvTIfbJ LUxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:dkim-signature; bh=5o0jgcCQjFP2QLOrgYjdybkZG09dTeT1+zi5a4htMIk=; b=ocIvMZfTP3qMZSeX1D0ij72vnD9U7r8SoHMALcpMd0kOXyA+xGN0KiVBP7fxSQINam wY4muAwHdPeAqym/x7L2U0qQVV1zu5XIOqk7eKcztQsemNbjHUIxnOXMGKh6xO2l8IY9 Xyc5x/RP9FEvSArX8WoNcV4HJZNcIG2Rt/L1zl1T1NpCuSlG38EYMHXZ6bc8ByeZHTEi 60yT+WaE/NowD15VdlP5hYniYy+90OF4jwbNuWNDs9lNl0iFxEr/BumsTP3e+7qVpK7v 84i5qtwIGISt3MDrXgxtQ9HWniWB0E24IseQwDUSjafy/FkMjZXSiuKXtxDCY5cOh3FK yxHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ocallahan-org.20150623.gappssmtp.com header.s=20150623 header.b=Pk+mVIcO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s18si430248ejd.476.2020.06.25.16.56.03; Thu, 25 Jun 2020 16:56:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ocallahan-org.20150623.gappssmtp.com header.s=20150623 header.b=Pk+mVIcO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407733AbgFYXPL (ORCPT + 99 others); Thu, 25 Jun 2020 19:15:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406243AbgFYXPK (ORCPT ); Thu, 25 Jun 2020 19:15:10 -0400 Received: from mail-vs1-xe44.google.com (mail-vs1-xe44.google.com [IPv6:2607:f8b0:4864:20::e44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D76EC08C5C1 for ; Thu, 25 Jun 2020 16:15:10 -0700 (PDT) Received: by mail-vs1-xe44.google.com with SMTP id o2so4540952vsr.0 for ; Thu, 25 Jun 2020 16:15:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ocallahan-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=5o0jgcCQjFP2QLOrgYjdybkZG09dTeT1+zi5a4htMIk=; b=Pk+mVIcOsA49tZIaEKmqBWlpY0IrdejkM8JzCSyCIwoOU2MP22GqFUBOxtE2kqEXUB WvBsmAELjUa85Ceu/F9gaXqJpUmozC+7A9qjRtYawF/dmXzEmxKeJnRxakPrabzsLQE9 YA803mqR9TPwVbLE/t3rPZ17yz6/skGM4MgkjvH0De1u8n/XDV/NPt4PyRgy8WjSIF7g VlPr4xospmepc89uZZidSCB1MwH7VmoCftLEm4ElsraXrLRFDg/DOuoCfhRNy08mS9gk bT7t3o+qsE3by2491TMhy7TjL7fBm1WnFg4KbwIxoQdNeVCJVdC0GqZmdKcYAgiU8+k2 U8Sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=5o0jgcCQjFP2QLOrgYjdybkZG09dTeT1+zi5a4htMIk=; b=eNwUpQGJIFVQKmN1f/6XshgtOzuT8YB7ifqL4nJYg+D6HEjTy2c15IK5fc46tE2fYv V267j/VgvPI0hdGJCvRQLa14Wr1EH9SRBuJeGUyH9k2/JmVCoED3GNj3snQvJIPo9wb0 Kdj09H0HcIKnW878vXeeDYdRv14dfJvgtrCwxLBKXk5s+MUBtTCry2vfd8BTQwh5fIGT 7b7y1vXsAtyhu8VB8OP2KpJPGkgu9aAtTVyIkBDvFHgNgCrx750dmNWE2pzyn2X/1eu7 9I4cRtC/jpF0E8XGXNsiNXiWtSwuatqRFlKtu5UgylVyI58vw7RhwsQwd4WF2Eq6jCdB uTwQ== X-Gm-Message-State: AOAM532StCxqX6fvyL8Ll1zw6vvoMN2m9i4z69COw++bw5+pRjkSrROU LRVQB7JQxbcGbP5Pf784/j0TLNAaXPp528M3dkE= X-Received: by 2002:a67:26c2:: with SMTP id m185mr467694vsm.39.1593126909772; Thu, 25 Jun 2020 16:15:09 -0700 (PDT) MIME-Version: 1.0 References: <20200530055953.817666-1-krisman@collabora.com> <85367hkl06.fsf@collabora.com> In-Reply-To: <85367hkl06.fsf@collabora.com> Reply-To: robert@ocallahan.org From: "Robert O'Callahan" Date: Fri, 26 Jun 2020 11:14:56 +1200 Message-ID: Subject: Re: [PATCH RFC] seccomp: Implement syscall isolation based on memory areas To: Gabriel Krisman Bertazi Cc: Andy Lutomirski , Linux-MM , open list , kernel@collabora.com, Thomas Gleixner , Kees Cook , Will Drewry , "H . Peter Anvin" , Paul Gofman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org rr (https://rr-project.org, https://arxiv.org/abs/1705.05937) grapples with a similar problem. We need to intercept commonly-executed system calls and wrap them with our own processing, with minimal overhead. I think our basic approach might work for Wine without kernel changes. We use SECCOMP_SET_MODE_FILTER with a simple filter that returns SECCOMP_RET_TRAP on all syscalls except for those called from a single specific trampoline page (which get SECCOMP_RET_ALLOW). rr ptraces its children. So, when user-space makes a syscall, the seccomp filter triggers a ptrace trap. The ptracer looks at the code around the syscall and if it matches certain common patterns, the ptracer patches the code with a jump to a stub that does extra work and issues a real syscall via the trampoline. Thus, each library syscall instruction is slow the first time and fast every subsequent time. "Weird" syscalls that the ptracer chooses not to patch do incur the context-switch penalty every time so their overhead does increase a lot ... but it sounds like that might be OK in Wine's case? A more efficient variant of this approach which would work in some cases (but maybe not Wine?) would be to avoid using a ptracer and give the process a SIGSYS handler which does the patching. Rob -- Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy ot mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil eht. Efil fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah ruo dna ta dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw, draeh evah ew hcihw, gninnigeb eht morf saw hcihw taht.