Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp693223pxx; Wed, 28 Oct 2020 14:41:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBW3x0zCH/j43BpAKrNSEmaxGY02uGIPMT+ifAyC5Dox+lsn9hh2bK4GhRGR2HNBo6kRsB X-Received: by 2002:a17:906:4a98:: with SMTP id x24mr1036586eju.319.1603921314995; Wed, 28 Oct 2020 14:41:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603921314; cv=none; d=google.com; s=arc-20160816; b=fuxYHe7O+E4IjvlMsVFvSld0W5LW47/KuaKyhZRRMRJOFaiIkqPstKUuogP5kZJS+U 6IBh14hhJCqk58cBfKzoA+t8FfmkGgOofdswSP+8xGw2mkiyJGEYdG/XKfivLL2AZhCg mTQEUq61YiMUy4zZKxbb0FCNGGrt4gW511XDT9pnkP31K9W6n6Qs/0HAwaMGkJXYIztB 4DcDduSKvzH6Sg5fEhRSyQDicbXG+wceDLQkBoErkSHTv7jqIgZbdTsduDW3n9YCqksB ABrN1g66lUg4dofBgEZzFB6jD4wvDafD0POPwWwzdxCWx/+Ihjmoajo2wT0aULctzGuF Y+Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=SkTc2vk73nmebVshjgjHKREV7i/15yy96aB46LsoBJM=; b=lfvsagQcsIdAVNT6jGnmfv2WVyLVzYXyTQE2hd+zVW6xlXQCm0++aRgLv19l/8BuZc SNfBKnsn/DoJwysWySl0AGSQhKpEPOU3HaUlhPcV0bEwzA8qOUbdvjewDUe/zvQg9OaP n18WnL1SHV2B6JOd1DB+kBuzjYQaIOZbIBIWVOrrNQCNTJNmpf1u3+GSh6NIn/54J764 Cydg8DcPjfKWxnZuOQMpuZDb+fWoyzDdMJx0mv3n8AAhzB+k2UpqizwBi9z/FrdRCNTm 4HwHXo9TKnnij5hck51rXoOW2G9kmHCHUWpiBvpAxUd9L0Rpu24FyOtgb5hMOZ6sFTKZ j05A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jq2lkcWd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y22si57344edv.498.2020.10.28.14.41.31; Wed, 28 Oct 2020 14:41:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jq2lkcWd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726439AbgJ1BkN (ORCPT + 99 others); Tue, 27 Oct 2020 21:40:13 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:44443 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1833077AbgJ1AGw (ORCPT ); Tue, 27 Oct 2020 20:06:52 -0400 Received: by mail-pf1-f194.google.com with SMTP id 133so1866292pfx.11 for ; Tue, 27 Oct 2020 17:06:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=SkTc2vk73nmebVshjgjHKREV7i/15yy96aB46LsoBJM=; b=jq2lkcWdmOTv8Lyx6yvybZKderM4WXlS2x5SBBIvdhQC/Hadg0P/Asbj5KmjCOTFJW b/5r/M8+iPrJTWUBXb1TpZz1FSZE9Wh3YyzP9ty15mnJxMgQl+mm7WMRmhYiQZc1bFhD kE4RwvzkUp3hEXlMoBodJdAcAXdxgbK7pYOyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=SkTc2vk73nmebVshjgjHKREV7i/15yy96aB46LsoBJM=; b=mHbZhrZijTfyMFf+rGSR4mwAhxALuG0WTDXG3+42mi4QpVxbgqzRE9jYXAaNzdT2Fr cX+E35oyyFl6z4MZGnIm/7QG/ZFvgvFi9gks93ZsyC2oUkYKry9Mjd2GmLMTvf1IT7gV rdCMa3oIYHFLliF9G/vNv7pDa+FTz8ms5RU6UFxmEe6XJdUAIF0vRuPWvEvDfsdHb8Ou 6sd/mJZ8uDJi3P26MWfy9Y8k+m0KoxLXs6mfj+REXaeHC5m0SdadMGrF10eEVn6EXoxN aMlJCOc9lrlPtGB22AZLCAXf0RZu0uxWSkRvlBsHwWDhtMSuDwVilKb3/fC0QEnLSI57 xFvA== X-Gm-Message-State: AOAM533YBJB0gy6PIcTI5P2jod5Un2Khy6slz92od+IwkOfggzchW2MG 2M/afCEu9qYaPReUfdUrtV2n+Q== X-Received: by 2002:aa7:9ad7:0:b029:160:948:44a6 with SMTP id x23-20020aa79ad70000b0290160094844a6mr4533190pfp.25.1603843611476; Tue, 27 Oct 2020 17:06:51 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 21sm3688285pfw.36.2020.10.27.17.06.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Oct 2020 17:06:50 -0700 (PDT) Date: Tue, 27 Oct 2020 17:06:49 -0700 From: Kees Cook To: Geert Uytterhoeven Cc: YiFei Zhu , containers@lists.linux-foundation.org, YiFei Zhu , bpf , Linux Kernel Mailing List , Aleksa Sarai , Andrea Arcangeli , Andy Lutomirski , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jack Chen , Jann Horn , Josep Torrellas , Tianyin Xu , Tobin Feldman-Fitzthum , Tycho Andersen , Valentin Rothberg , Will Drewry Subject: Re: [PATCH v2 seccomp 1/6] seccomp: Move config option SECCOMP to arch/Kconfig Message-ID: <202010271653.B6D7D6B@keescook> References: <9ede6ef35c847e58d61e476c6a39540520066613.1600951211.git.yifeifz2@illinois.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 27, 2020 at 10:52:39AM +0100, Geert Uytterhoeven wrote: > Hi Yifei, > > On Thu, Sep 24, 2020 at 2:48 PM YiFei Zhu wrote: > > From: YiFei Zhu > > > > In order to make adding configurable features into seccomp > > easier, it's better to have the options at one single location, > > considering easpecially that the bulk of seccomp code is > > arch-independent. An quick look also show that many SECCOMP > > descriptions are outdated; they talk about /proc rather than > > prctl. > > > > As a result of moving the config option and keeping it default > > on, architectures arm, arm64, csky, riscv, sh, and xtensa > > did not have SECCOMP on by default prior to this and SECCOMP will > > be default in this change. > > > > Architectures microblaze, mips, powerpc, s390, sh, and sparc > > have an outdated depend on PROC_FS and this dependency is removed > > in this change. > > > > Suggested-by: Jann Horn > > Link: https://lore.kernel.org/lkml/CAG48ez1YWz9cnp08UZgeieYRhHdqh-ch7aNwc4JRBnGyrmgfMg@mail.gmail.com/ > > Signed-off-by: YiFei Zhu > > Thanks for your patch. which is now commit 282a181b1a0d66de ("seccomp: > Move config option SECCOMP to arch/Kconfig") in v5.10-rc1. > > > --- a/arch/Kconfig > > +++ b/arch/Kconfig > > @@ -458,6 +462,23 @@ config HAVE_ARCH_SECCOMP_FILTER > > results in the system call being skipped immediately. > > - seccomp syscall wired up > > > > +config SECCOMP > > + def_bool y > > + depends on HAVE_ARCH_SECCOMP > > + prompt "Enable seccomp to safely compute untrusted bytecode" > > + help > > + This kernel feature is useful for number crunching applications > > + that may need to compute untrusted bytecode during their > > + execution. By using pipes or other transports made available to > > + the process as file descriptors supporting the read/write > > + syscalls, it's possible to isolate those applications in > > + their own address space using seccomp. Once seccomp is > > + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled > > + and the task is only allowed to execute a few safe syscalls > > + defined by each seccomp mode. > > + > > + If unsure, say Y. Only embedded should say N here. > > + > > Please tell me why SECCOMP is special, and deserves to default to be > enabled. Is it really that critical, given only 13.5 (half of sparc > ;-) out of 24 > architectures implement support for it? That's an excellent point; I missed this in my review as I saw several Kconfig already marked "def_bool y" but failed to note it wasn't _all_ of them. Okay, checking before this patch, these had them effectively enabled: via Kconfig: parisc s390 um x86 via defconfig, roughly speaking: arm arm64 sh How about making the default depend on HAVE_ARCH_SECCOMP_FILTER? These have SECCOMP_FILTER support: arch/arm/Kconfig: select HAVE_ARCH_SECCOMP_FILTER if AEABI && !OABI_COMPAT arch/arm64/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/csky/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/mips/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/parisc/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/powerpc/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/riscv/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/s390/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/sh/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/um/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/x86/Kconfig: select HAVE_ARCH_SECCOMP_FILTER arch/xtensa/Kconfig: select HAVE_ARCH_SECCOMP_FILTER So the "new" promotions would be: csky mips powerpc riscv xtensa Which would leave only these two: arch/microblaze/Kconfig: select HAVE_ARCH_SECCOMP arch/sparc/Kconfig: select HAVE_ARCH_SECCOMP if SPARC64 At this point, given the ubiquity of seccomp usage (e.g. systemd), I guess it's not unreasonable to make it def_bool y? I'm open to suggestions! -- Kees Cook