Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3350018pxk; Mon, 7 Sep 2020 10:17:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0r7J8q+7/42MLZD13Wky1KbHEvFHonuZ07TTbySZXA9PBoL2f4H0lMFMxfOOClZbtVGq/ X-Received: by 2002:a17:906:82d1:: with SMTP id a17mr21601449ejy.385.1599499033338; Mon, 07 Sep 2020 10:17:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599499033; cv=none; d=google.com; s=arc-20160816; b=ndHBlKf/CxuF8A3POp6DxkgofZFgiSGWI8SQ/NvgQZAAu7QjTw5UHD1UBt0WUCN1DE gg+cZa77kwLxVARVHFijby6brvxpFbJ7IliVzhEtFmWG/0dRxAM+3UIpQggHvbTqTjYX IDdkZCnsC9nA+S71CHZcKihuS7GFLA9kglVNJd+l0hfSTgtX5+pkHpg5lWjgWLB0Hk9I OctYdWtAUi69ejNuakt4cvFQpgAGW8FpXEw8OHwlaGvalCMCIixFImCoFcNrsfIc6mQG saSrdlzUX+rs5nUzNQc7i4BKoC4iS4YohJ0/2JiYElYk1SIf0N6KjIkk1fT2QmENlubw kHsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:in-reply-to:cc:references:message-id :date:subject:mime-version:from:content-transfer-encoding :dkim-signature; bh=pMKtnu62KrFlClqQRGBjCSOknfMgdgn3+wr6HnRppNY=; b=o47TPOwygoeqzDs4q0WpxPnfxQSv62DFTT/w25uJ9Aw0KHd/a/7zPGy9pNZL2KYQyx NtW4KwgEZtmYUMVW4LB4V6KVdNhuaTR0KK7FvXXz3uTbj057qJiUlExujkA2wguRuRdL m4H2K2x7GImitRkuDYYgxzZmqpv9QRcJ8AafHfqTGy1wSLLUlvfvxvQgDkdPC9y1sjtO eHJ95HMh57lQQCg+E7pohowyoOOosjHSvZ05GKQ+zTDI137zHyxIbm7DbVM4eSROFURv voxVKRrbW7+brpRfzNqoO6STOdnFlzu45pnv3XS2NTkVECagkXh3mT5SNtonNYbogWw/ 1ZqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=D64xvzFL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id pj4si10293171ejb.628.2020.09.07.10.16.50; Mon, 07 Sep 2020 10:17:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=D64xvzFL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729774AbgIGROK (ORCPT + 99 others); Mon, 7 Sep 2020 13:14:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729351AbgIGOQb (ORCPT ); Mon, 7 Sep 2020 10:16:31 -0400 Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2CB2C061573 for ; Mon, 7 Sep 2020 07:15:55 -0700 (PDT) Received: by mail-pf1-x443.google.com with SMTP id v196so8717539pfc.1 for ; Mon, 07 Sep 2020 07:15:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=pMKtnu62KrFlClqQRGBjCSOknfMgdgn3+wr6HnRppNY=; b=D64xvzFLBlnNeTQkT8TNQY9QSEEmAeebO85yfOC8NPD1qtRe6ZhnRviUtvOdxf7zNs K5w9Tc56LdukXCGiVOV0RnjgFVbBUOBeD0YvkNdcyIRUZqHMAGLUalClCgCTARRRghvX 0syIVDRXlYXf/9UkCbwkjho2LiGFWDgF0jefQzrfll1AaP8/1iF03O7LOXwtlHzPC5o2 I7l8npCZsBDhjEaTB0HUB7llatpo1fnrqibiAczZYpjt9RwxiE1/4IJ0nbgeUY7dfu0K DdpHrv1SwsxdcqShg+ockpxLo9zrZWTK4NGRi2HGlIb9t7VQbc2feZTADbtP9rlW2EI0 cR4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=pMKtnu62KrFlClqQRGBjCSOknfMgdgn3+wr6HnRppNY=; b=qOdHTxmlRbTBJdS3uXzQDeqWIJND5JTjS9Il2f3zxehOdXoPoiG/PqWihOT/jVm5Tf qrpXDRbrw6Z2PfqjzQw7VMrFzUXbbbzAAok+CGMzWgyoBVo72yhuOOvZYM2Bc2g2SDCZ 02jFfKu361aJXjfaHBKgkt3uScdRnnJKY8/5YKihsrZccyhf1EPA32c/i2ahAaWnwbiG Tfs86LweaUOaN6kAjc4rNR5j209OVU2OpLZCZsCSChpdEUFlcc8Pa+AVS85lFL9kwXu6 SyPHplJl2SEonV056RHPINV4K0tzD8+w8qhwUGpFPVKq14keqalvfOiAP2aO6zfX4sAF kBFA== X-Gm-Message-State: AOAM532Smx4UdcfCn0ukvia2UYQlXNlMO9TjLz1ekOq0aqtY5ukom2Ka x+4100aby8qTtNoBZOOKzKkLAg== X-Received: by 2002:a63:4a19:: with SMTP id x25mr16395793pga.56.1599488154774; Mon, 07 Sep 2020 07:15:54 -0700 (PDT) Received: from ?IPv6:2600:1010:b025:3136:b1da:8d24:b138:6fff? ([2600:1010:b025:3136:b1da:8d24:b138:6fff]) by smtp.gmail.com with ESMTPSA id m25sm15245324pfa.32.2020.09.07.07.15.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Sep 2020 07:15:53 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Andy Lutomirski Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v6 6/9] kernel: entry: Support Syscall User Dispatch for common syscall entry Date: Mon, 7 Sep 2020 07:15:52 -0700 Message-Id: <0639209E-B6C6-4F86-84F4-04B91E1CC8AA@amacapital.net> References: <20200907101522.zo6qzgp4qfzkz7cs@wittgenstein> Cc: Gabriel Krisman Bertazi , luto@kernel.org, tglx@linutronix.de, keescook@chromium.org, x86@kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, willy@infradead.org, linux-kselftest@vger.kernel.org, shuah@kernel.org, kernel@collabora.com In-Reply-To: <20200907101522.zo6qzgp4qfzkz7cs@wittgenstein> To: Christian Brauner X-Mailer: iPhone Mail (17H35) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 7, 2020, at 3:15 AM, Christian Brauner wrote: >=20 > =EF=BB=BFOn Fri, Sep 04, 2020 at 04:31:44PM -0400, Gabriel Krisman Bertazi= wrote: >> Syscall User Dispatch (SUD) must take precedence over seccomp, since the >> use case is emulation (it can be invoked with a different ABI) such that >> seccomp filtering by syscall number doesn't make sense in the first >> place. In addition, either the syscall is dispatched back to userspace, >> in which case there is no resource for seccomp to protect, or the >=20 > Tbh, I'm torn here. I'm not a super clever attacker but it feels to me > that this is still at least a clever way to circumvent a seccomp > sandbox. > If I'd be confined by a seccomp profile that would cause me to be > SIGKILLed when I try do open() I could prctl() myself to do user > dispatch to prevent that from happening, no? >=20 Not really, I think. The idea is that you didn=E2=80=99t actually do open().= You did a SYSCALL instruction which meant something else, and the syscall d= ispatch correctly prevented the kernel from misinterpreting it as open().