Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp268821lqs; Tue, 5 Mar 2024 01:08:45 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCV5ICX/ZxeWGHYEUnAmd/Sidg32zItcdUPONVG+VKTbd3kcRuZURoDDZIniqP+XfyXh9bz2NxR2XDIoZfCZ3J0vw/uHlU44iqOrM0nmUQ== X-Google-Smtp-Source: AGHT+IFr5U70gzbLIiuY55bhshNfErG1zG/mbNAajonjEt2ck5qI/pggiYW2+deK28xMZUoP1whR X-Received: by 2002:a17:902:c20c:b0:1dc:fc69:7a40 with SMTP id 12-20020a170902c20c00b001dcfc697a40mr1114980pll.11.1709629725557; Tue, 05 Mar 2024 01:08:45 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709629725; cv=pass; d=google.com; s=arc-20160816; b=dHxOS09wlqTVaShpEozJUPhvaXW6hL/zyx5+jne0WYr9FYnsjgZRAOW2IxnL+hsAVn bRv7OE75duvYtUrI7jXSRGwjSZOL57oknyf3cUU2cwBnINRN/RE5z9bmjpv/yfjVxCHu de34aTP0ZovNj/oeo7WAEVdNIW/j114mu2Hfa1E1STnRBgqO5l1w+kmu85yjjDc4NFAM lhR2d8VpkSQyQ+5DdW+w0y9U14nEAczRyoh+SwBaOIYLP0jIrLFDlK7E6ByHNQH6sE2w vr/dhoUDkCPV3dr3n6xCHFpeWsRkAsWIkkqm8qrosHH6vEeCIDGJBhjNhabjcDuTt5RT AlmQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=px8oYEhq9hRh4ohAMtjv77TaUkPMRqI/H9IIoaF4HJo=; fh=OYiTjqxzPcb6DO9vFXC+EhjiuV3mplms8/+SBUqgELw=; b=TPiOFDcnYycLU1VChaee1SgVdlH2/crLUudwvXmf9SgsnQKq5fv/vH7LUUumduOJXP gZwD4WN2xVYAE+ViuwpRUvSjjrmUAxhMFIgFvs5nnCTM0tf8zOS9wlz7oeUit9KFcu28 cE4/kxxm5A9E1oZvcmgwMecf90IW7oIxrZvN8mrGx7vZBOEdrbxAVfOygBB9n+Yyswtg dnWmmuoeO1WccHqX1Wj3APqhwQ4EmU4mkj/++6F3JqhGWtzwCSzKmBwEdm+87oi8Y+vx vKKREfr689FGP6hVo+mRh5smIPbv7W6F+SwcgkMnsaCQs2NxG+vUzaR67CvVBt0Sm+EQ Bx1A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=IME+OWbY; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-91947-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91947-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id l10-20020a170903120a00b001dd24550463si1638504plh.31.2024.03.05.01.08.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 01:08:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-91947-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=IME+OWbY; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-91947-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-91947-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id AF64FB22597 for ; Tue, 5 Mar 2024 09:03:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7C83C5915D; Tue, 5 Mar 2024 08:59:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IME+OWbY" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 923715813A; Tue, 5 Mar 2024 08:59:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709629194; cv=none; b=awtfFBMxUBQO8ScHkfpy2jQV1uzgUUfMzI9VoDmRM4eaKgRYi2PdtBoAqz6SfEMdDYYh1Vep+M/bz9tfjZmNxyb6j88/u6wrdrauoraO5aWsoUfI8DTBghH5tW4JIgwOMndqEZmMG7nFfedXfIh5Qel2zKT456281iIcfFDzPzQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709629194; c=relaxed/simple; bh=XbombLgpeTpgZvWPzyytQgy9Bb7OJQiVvwNOlRi2GNs=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=HSbIftkiwDV5uBca/P3IEKlZXN0Pz/APEcj+sshdsN3YFTz0lqXJtNFCJ5ld0Ljp/szqRyF5CA5k4WP3Nk+oT7eqfUf6VEhtoorFQzMhjR69pxmJ9kHh+BDgrpJIO1nySu/28s7+t3r1q8XSXh+6TBTnH+WEcWOlYNTlnzCc/+s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IME+OWbY; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id C2422C433F1; Tue, 5 Mar 2024 08:59:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709629194; bh=XbombLgpeTpgZvWPzyytQgy9Bb7OJQiVvwNOlRi2GNs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IME+OWbYznnhkduaofNgN4kH47icMXWIV0vPIFW9ILLoVZ4mokj3av1HVzKc0IvOS RJA0HnJpq9HZBriwt7croKiHx9Whw8HUbkSD1M5zKNc/ZlZ/u9/XqYLQ3gsOPiaEpy dom/JavO+Oh38iTKYwOANeEbdqoow8ORCJGy/GgzHLjLbuKl4w16AF0nrIgspbfjMU XaKFv/TORv2kaiUAw2eUTjCxJSyosOnfUG0byxI48blOrVZM0hRt0IWo7Mo7C96oAz lx/EkJQdf7coy39v66B0LaSHLxnA/esEaO/hV5YNBHsRbESLIb8M99d3kBbpxt9JxE YbZA/JUoIrKxQ== Date: Tue, 5 Mar 2024 09:59:47 +0100 From: Christian Brauner To: Kees Cook Cc: Adrian Ratiu , linux-fsdevel@vger.kernel.org, kernel@collabora.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, Guenter Roeck , Doug Anderson , Jann Horn , Andrew Morton , Randy Dunlap , Mike Frysinger Subject: Re: [PATCH v2] proc: allow restricting /proc/pid/mem writes Message-ID: <20240305-attentat-robust-b0da8137b7df@brauner> References: <20240301213442.198443-1-adrian.ratiu@collabora.com> <20240304-zugute-abtragen-d499556390b3@brauner> <202403040943.9545EBE5@keescook> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <202403040943.9545EBE5@keescook> > > Uhm, this will break the seccomp notifier, no? So you can't turn on > > SECURITY_PROC_MEM_RESTRICT_WRITE when you want to use the seccomp > > notifier to do system call interception and rewrite memory locations of > > the calling task, no? Which is very much relied upon in various > > container managers and possibly other security tools. > > > > Which means that you can't turn this on in any of the regular distros. > > FWIW, it's a run-time toggle, but yes, let's make sure this works > correctly. > > > So you need to either account for the calling task being a seccomp > > supervisor for the task whose memory it is trying to access or you need > > to provide a migration path by adding an api that let's caller's perform > > these writes through the seccomp notifier. > > How do seccomp supervisors that use USER_NOTIF do those kinds of > memory writes currently? I thought they were actually using ptrace? > Everything I'm familiar with is just using SECCOMP_IOCTL_NOTIF_ADDFD, > and not doing fancy memory pokes. For example, incus has a seccomp supervisor such that each container gets it's own goroutine that is responsible for handling system call interception. If a container is started the container runtime connects to an AF_UNIX socket to register with the seccomp supervisor. It stays connected until it stops. Everytime a system call is performed that is registered in the seccomp notifier filter the container runtime will send a AF_UNIX message to the seccomp supervisor. This will include the following fds: - the pidfd of the task that performed the system call (we should actually replace this with SO_PEERPIDFD now that we have that) - the fd of the task's memory to /proc//mem The seccomp supervisor will then perform the system call interception including the required memory reads and writes. There's no ptrace involved. That was the whole point of the seccomp notifier. :)