FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 03-21-2012, 07:35 PM
Kees Cook
 
Default APPLIED: SECCOMP mode 2, BPF

On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
> Applied for now pending Leann's opinion. I've made a first pass review.
> Some of it is a bit dense. I'll have another look tomorrow.

Thanks! I'm happy to field any questions about it, if that helps, and
if I can't answer them, I'm sure Will can.

-Kees

--
Kees Cook

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2012, 12:07 PM
Tim Gardner
 
Default APPLIED: SECCOMP mode 2, BPF

On 03/21/2012 02:35 PM, Kees Cook wrote:
> On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
>> Applied for now pending Leann's opinion. I've made a first pass review.
>> Some of it is a bit dense. I'll have another look tomorrow.
>
> Thanks! I'm happy to field any questions about it, if that helps, and
> if I can't answer them, I'm sure Will can.
>
> -Kees
>

So I guess it got uploaded. How about a quick description of how to
utilize the seccomp filter? Does the chromium browser detect and make
use of seccomp automatically ? How can we test that its doing what is
supposed to ?

In the meantime I guess I'll go read the seccomp patch to the
Documentation directory.

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-22-2012, 05:43 PM
Will Drewry
 
Default APPLIED: SECCOMP mode 2, BPF

On Thu, Mar 22, 2012 at 8:07 AM, Tim Gardner <tim.gardner@canonical.com> wrote:
> On 03/21/2012 02:35 PM, Kees Cook wrote:
>> On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
>>> Applied for now pending Leann's opinion. I've made a first pass review.
>>> Some of it is a bit dense. I'll have another look tomorrow.
>>
>> Thanks! I'm happy to field any questions about it, if that helps, and
>> if I can't answer them, I'm sure Will can.
>>
>> -Kees
>>
>
> So I guess it got uploaded. How about a quick description of how to
> utilize the seccomp filter?

Like this? Or more like a usecase or a code snippet?
~~
Seccomp filter allows a task to dynamically filter system calls for
itself and any subsequently spawned subtasks. The behavior is
expressed in terms of a Berkeley Packet Filter program which is passed
to the kernel using prctl(2).

BPF programs may be built using macros from <linux/filter.h> and
execute over the virtual data structure described in
<linux/seccomp.h>.

A filtered system call may be allowed to executed, denied with process
death, denied with an errno, denied with a SIGSYS signal, or passed to
an attached ptrace(2)er. The action is dictated by the return code
from the BPF program.
~~

There's also an effort we're not involved in to provide a pretty
full-featured library: http://sourceforge.net/projects/libseccomp/

We'll be pulling support into our minijail application, but right now
it lives in a sandbox branch.

> Does the chromium browser detect and make
> use of seccomp automatically ?

Not yet, but it will. I postponed integrating the original
seccomp+ftrace sandbox once I realized it was doomed to be out-of-tree
forever. There'll likely be two seccomp sandboxes:
- generic seccomp bpf sandbox which will detect seccomp mode 2 support
and optionally layer with the setuid sandbox
(easiest way to detect is prctl(PR_SET_SECCOMP, 2, NULL) -> -EFAULT
instead of -EINVAL)
- code.google.com/p/seccompsandbox extended to use seccomp bpf.
markus@chromium.org will be working on this, but I'm not sure if it
will go on by default later or not.

If all goes well, we should see the first one merge in less than six weeks.

> How can we test that its doing what is
> supposed to ?

samples/seccomp provide some baseline examples. I'm out on vacation,
but I'll publish a small testsuite next week which I've been using to
test each rev. I just need to pretty-it-up a bit :/

> In the meantime I guess I'll go read the seccomp patch to the
> Documentation directory.

If the docs can be made more coherent, I'm more than happy to change them up.

thanks!
will

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-23-2012, 05:14 AM
Kees Cook
 
Default APPLIED: SECCOMP mode 2, BPF

Hi,

On Thu, Mar 22, 2012 at 01:43:57PM -0500, Will Drewry wrote:
> On Thu, Mar 22, 2012 at 8:07 AM, Tim Gardner <tim.gardner@canonical.com> wrote:
> > On 03/21/2012 02:35 PM, Kees Cook wrote:
> >> On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
> >>> Applied for now pending Leann's opinion. I've made a first pass review.
> >>> Some of it is a bit dense. I'll have another look tomorrow.
> >>
> >> Thanks! I'm happy to field any questions about it, if that helps, and
> >> if I can't answer them, I'm sure Will can.
> >
> > So I guess it got uploaded. How about a quick description of how to
> > utilize the seccomp filter?
> > [...]
> > In the meantime I guess I'll go read the seccomp patch to the
> > Documentation directory.
>
> If the docs can be made more coherent, I'm more than happy to change them up.

I've put together a little tutorial (with working code samples) on using
basic syscall filtering via seccomp filter here:

http://outflux.net/teach-seccomp/

-Kees

--
Kees Cook

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-23-2012, 12:04 PM
Brad Figg
 
Default APPLIED: SECCOMP mode 2, BPF

On 03/22/2012 11:14 PM, Kees Cook wrote:
> Hi,
>
> On Thu, Mar 22, 2012 at 01:43:57PM -0500, Will Drewry wrote:
>> On Thu, Mar 22, 2012 at 8:07 AM, Tim Gardner <tim.gardner@canonical.com> wrote:
>>> On 03/21/2012 02:35 PM, Kees Cook wrote:
>>>> On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
>>>>> Applied for now pending Leann's opinion. I've made a first pass review.
>>>>> Some of it is a bit dense. I'll have another look tomorrow.
>>>>
>>>> Thanks! I'm happy to field any questions about it, if that helps, and
>>>> if I can't answer them, I'm sure Will can.
>>>
>>> So I guess it got uploaded. How about a quick description of how to
>>> utilize the seccomp filter?
>>> [...]
>>> In the meantime I guess I'll go read the seccomp patch to the
>>> Documentation directory.
>>
>> If the docs can be made more coherent, I'm more than happy to change them up.
>
> I've put together a little tutorial (with working code samples) on using
> basic syscall filtering via seccomp filter here:
>
> http://outflux.net/teach-seccomp/
>
> -Kees
>

Kees,

You are familiar with our QRT (having implemented some of it). Do any of those
tests test the seccomp filter code to see if it's functioning properly? Any
thoughts on expanding those tests to test this area more thuroughly?

Brad
--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-27-2012, 02:21 AM
Tim Gardner
 
Default APPLIED: SECCOMP mode 2, BPF

On 03/23/2012 12:14 AM, Kees Cook wrote:

Hi,

On Thu, Mar 22, 2012 at 01:43:57PM -0500, Will Drewry wrote:

On Thu, Mar 22, 2012 at 8:07 AM, Tim Gardner<tim.gardner@canonical.com> wrote:

On 03/21/2012 02:35 PM, Kees Cook wrote:

On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:

Applied for now pending Leann's opinion. I've made a first pass review.
Some of it is a bit dense. I'll have another look tomorrow.


Thanks! I'm happy to field any questions about it, if that helps, and
if I can't answer them, I'm sure Will can.


So I guess it got uploaded. How about a quick description of how to
utilize the seccomp filter?
[...]
In the meantime I guess I'll go read the seccomp patch to the
Documentation directory.


If the docs can be made more coherent, I'm more than happy to change them up.


I've put together a little tutorial (with working code samples) on using
basic syscall filtering via seccomp filter here:

http://outflux.net/teach-seccomp/

-Kees



Kees - I've read through your tutorial. Thanks by the way for that. With
regard to determining seccomp BPF functionality, do you think its
sufficient to just test for one or two syscalls ? That will at least
indicate that the seccomp subsystem is alive and functional. We could
almost just use your example program for that.


Is there benefit to performing an exhaustive syscall filter test, or are
all syscalls treated the same ?


rtg

P.S. I know I should just go look at the code, but I'm feeling kinda
lazy tonight.

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 03-27-2012, 10:02 PM
Will Drewry
 
Default APPLIED: SECCOMP mode 2, BPF

On Mon, Mar 26, 2012 at 9:21 PM, Tim Gardner <rtg.canonical@gmail.com> wrote:
> On 03/23/2012 12:14 AM, Kees Cook wrote:
>>
>> Hi,
>>
>> On Thu, Mar 22, 2012 at 01:43:57PM -0500, Will Drewry wrote:
>>>
>>> On Thu, Mar 22, 2012 at 8:07 AM, Tim Gardner<tim.gardner@canonical.com>
>>> *wrote:
>>>>
>>>> On 03/21/2012 02:35 PM, Kees Cook wrote:
>>>>>
>>>>> On Wed, Mar 21, 2012 at 02:28:33PM -0600, Tim Gardner wrote:
>>>>>>
>>>>>> Applied for now pending Leann's opinion. I've made a first pass
>>>>>> review.
>>>>>> Some of it is a bit dense. I'll have another look tomorrow.
>>>>>
>>>>>
>>>>> Thanks! I'm happy to field any questions about it, if that helps, and
>>>>> if I can't answer them, I'm sure Will can.
>>>>
>>>>
>>>> So I guess it got uploaded. How about a quick description of how to
>>>> utilize the seccomp filter?
>>>> [...]
>>>> In the meantime I guess I'll go read the seccomp patch to the
>>>> Documentation directory.
>>>
>>>
>>> If the docs can be made more coherent, I'm more than happy to change them
>>> up.
>>
>>
>> I've put together a little tutorial (with working code samples) on using
>> basic syscall filtering via seccomp filter here:
>>
>> http://outflux.net/teach-seccomp/
>>
>> -Kees
>>
>
> Kees - I've read through your tutorial. Thanks by the way for that. With
> regard to determining seccomp BPF functionality, do you think its sufficient
> to just test for one or two syscalls ? That will at least indicate that the
> seccomp subsystem is alive and functional. We could almost just use your
> example program for that.

In general, I think that's enough. If you want, I finally finished
porting my organically developed tests into something a "little" bit
prettier and arch agnostic which might be useful:
https://github.com/redpig/seccomp/tree/master/tests

I believe all the tests will pass for the patch series merged, except
for one, where I tightened the mask on the return values (in a
to-be-posted v17). No userspace code ABI changes specifically, just
ensuring a hard cap on the highest BPF return value, so nothing scary


> Is there benefit to performing an exhaustive syscall filter test, or are all
> syscalls treated the same ?

Yup - the BPF is basically just a userspace API for syscall-time use
of syscall_get_number and syscall_get_arguments, and syscall_get_arch.
So once you've grabbed one syscall number, you could've grabbed any
of them


The tests above don't explore all the argument edge cases,
architecture values, etc, but it covers a large amount of the ground
and fills in gaps where the kernel/samples/seccomp and Kees's tutorial
don't touch explicitly.

cheers!
will

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 08:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org