Thread (39 messages) 39 messages, 9 authors, 2012-03-05

Re: [PATCH v12 07/13] seccomp: add SECCOMP_RET_ERRNO

From: Serge Hallyn <serge@hallyn.com>
Date: 2012-03-05 21:20:52
Also in: lkml, netdev 

----- Original message -----
On Fri, Mar 2, 2012 at 12:24 PM, Serge E. Hallyn [off-list ref]
wrote:
quoted
Quoting Will Drewry (wad@chromium.org):
quoted
This change adds the SECCOMP_RET_ERRNO as a valid return value from a
seccomp filter.  Additionally, it makes the first use of the lower
16-bits for storing a filter-supplied errno.  16-bits is more than
enough for the errno-base.h calls.

Returning errors instead of immediately terminating processes that
violate seccomp policy allow for broader use of this functionality
for kernel attack surface reduction.  For example, a linux container
could maintain a whitelist of pre-existing system calls but drop
all new ones with errnos.  This would keep a logically static attack
surface while providing errnos that may allow for graceful failure
without the downside of do_exit() on a bad call.

v12: - move to WARN_ON if filter is NULL
       (oleg@redhat.com, luto@mit.edu, keescook@chromium.org)
     - return immediately for filter==NULL (keescook@chromium.org)
     - change evaluation to only compare the ACTION so that layered
       errnos don't result in the lowest one being returned.
       (keeschook@chromium.org)
v11: - check for NULL filter (keescook@chromium.org)
v10: - change loaders to fn
 v9: - n/a
 v8: - update Kconfig to note new need for syscall_set_return_value.
     - reordered such that TRAP behavior follows on later.
     - made the for loop a little less indent-y
 v7: - introduced

Reviewed-by: Kees Cook <redacted>
Signed-off-by: Will Drewry <wad@chromium.org>
Clever :)

Thanks, Will.

For patches 1-7,

Acked-by: Serge Hallyn <redacted>
Thanks!
quoted
The -1 return value from __secure_computing_int() seems like it
could stand  #define, like

#define SECCOMP_DONTRUN -1
#define SECCOMP_RUN 0

or something Maybe not, but -1 always scares me and I had to look back
and forth a few times to make sure it was doing what I would want.
Works for me.   The -1 just matches what syscall emulation, etc does on
x86.   I'll add this to the tweaks for v14.

Thanks!
Well, in that case maybe it's not worth it.  Sounds
like ignorance on my part.

thanks,
-serge
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help