Thread (15 messages) 15 messages, 2 authors, 2014-07-17

Re: [PATCH v11 11/11] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC

From: Kees Cook <hidden>
Date: 2014-07-17 17:52:53
Also in: linux-arch, linux-arm-kernel, linux-mips, lkml 

On Thu, Jul 17, 2014 at 8:45 AM, Kees Cook [off-list ref] wrote:
On Thu, Jul 17, 2014 at 8:04 AM, David Drysdale [off-list ref] wrote:
quoted
On Wed, Jul 16, 2014 at 10:50 PM, Kees Cook [off-list ref] wrote:
quoted
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 9065d2c79c56..2125b83ccfd4 100644
+/**
+ * seccomp_can_sync_threads: checks if all threads can be synchronized
+ *
+ * Expects sighand and cred_guard_mutex locks to be held.
+ *
+ * Returns 0 on success, -ve on error, or the pid of a thread which was
+ * either not in the correct seccomp mode or it did not have an ancestral
+ * seccomp filter.
+ */
+static inline pid_t seccomp_can_sync_threads(void)
+{
+       struct task_struct *thread, *caller;
+
+       BUG_ON(!mutex_is_locked(&current->signal->cred_guard_mutex));
+       BUG_ON(!spin_is_locked(&current->sighand->siglock));
+
+       if (current->seccomp.mode != SECCOMP_MODE_FILTER)
+               return -EACCES;
Quick question -- is it possible to apply the first filter and also synchronize
it across threads in the same operation?  If so, does this arm also need to
cope with seccomp.mode being SECCOMP_MODE_DISABLED?

[seccomp_set_mode_filter() looks to call this via seccomp_attach_filter()
before it does seccomp_assign_mode()]
I don't entirely understand what you're asking. The threads gain the
filter and the mode before the current thread may gain the mode (if
it's the first time this has been called). Due to all the locks,
though, this isn't a problem. Is there a situation you see where there
might be a problem?
Just to follow up for posterity on lkml: the problem was that mode was
being set in "current" _after_ sync, so the mode check in can_sync
would fail if "current" was not yet in filter mode. (i.e. the first
attached filter could not have the TSYNC flag.) This check was
redundant with the attach_filter entry point checks, and protected
nothing, so it has been removed and a new test added to the seccomp
regression test suite. :)

I sent it as a new patch on top of v11, instead of respinning
everything as v12. If that's not preferred, I can send v12 with this
fix incorporated.

Thanks!

-Kees

-- 
Kees Cook
Chrome OS Security
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help