[v10,06/11] seccomp: add SECCOMP_RET_ERRNO

Message ID	1329845435-2313-6-git-send-email-wad@chromium.org
State	Not Applicable, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> MIME-Version: 1.0 From: Will Drewry <wad@chromium.org> To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, kernel-hardening@lists.openwall.com, netdev@vger.kernel.org, x86@kernel.org, arnd@arndb.de, davem@davemloft.net, hpa@zytor.com, mingo@redhat.com, oleg@redhat.com, peterz@infradead.org, rdunlap@xenotime.net, mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu, eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org, scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com, akpm@linux-foundation.org, corbet@lwn.net, eric.dumazet@gmail.com, markus@chromium.org, keescook@chromium.org, Will Drewry <wad@chromium.org> Subject: [PATCH v10 06/11] seccomp: add SECCOMP_RET_ERRNO Date: Tue, 21 Feb 2012 11:30:30 -0600 Message-Id: <1329845435-2313-6-git-send-email-wad@chromium.org> In-Reply-To: <1329845435-2313-1-git-send-email-wad@chromium.org> References: <1329845435-2313-1-git-send-email-wad@chromium.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

1329845435-2313-6-git-send-email-wad@chromium.org

State

Not Applicable, archived

Delegated to:

David Miller

Headers

MIME-Version: 1.0
From: Will Drewry <wad@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
	kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
	x86@kernel.org, arnd@arndb.de, davem@davemloft.net, hpa@zytor.com,
	mingo@redhat.com, oleg@redhat.com, peterz@infradead.org,
	rdunlap@xenotime.net, mcgrathr@chromium.org, tglx@linutronix.de,
	luto@mit.edu, eparis@redhat.com, serge.hallyn@canonical.com,
	djm@mindrot.org, scarybeasts@gmail.com, indan@nul.nu,
	pmoore@redhat.com, akpm@linux-foundation.org, corbet@lwn.net,
	eric.dumazet@gmail.com, markus@chromium.org, keescook@chromium.org,
	Will Drewry <wad@chromium.org>
Subject: [PATCH v10 06/11] seccomp: add SECCOMP_RET_ERRNO
Date: Tue, 21 Feb 2012 11:30:30 -0600
Message-Id: <1329845435-2313-6-git-send-email-wad@chromium.org>
In-Reply-To: <1329845435-2313-1-git-send-email-wad@chromium.org>
References: <1329845435-2313-1-git-send-email-wad@chromium.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Will Drewry Feb. 21, 2012, 5:30 p.m. UTC

This change adds the SECCOMP_RET_ERRNO as a valid return value from a
seccomp filter.  Additionally, it makes the first use of the lower
16-bits for storing a filter-supplied errno.  16-bits is more than
enough for the errno-base.h calls.

Returning errors instead of immediately terminating processes that
violate seccomp policy allow for broader use of this functionality
for kernel attack surface reduction.  For example, a linux container
could maintain a whitelist of pre-existing system calls but drop
all new ones with errnos.  This would keep a logically static attack
surface while providing errnos that may allow for graceful failure
without the downside of do_exit() on a bad call.

v10: - change loaders to fn
 v9: - n/a
 v8: - update Kconfig to note new need for syscall_set_return_value.
     - reordered such that TRAP behavior follows on later.
     - made the for loop a little less indent-y
 v7: - introduced

Signed-off-by: Will Drewry <wad@chromium.org>
---
 arch/Kconfig            |    6 ++++--
 include/linux/seccomp.h |   15 +++++++++++----
 kernel/seccomp.c        |   39 ++++++++++++++++++++++++++++-----------
 3 files changed, 43 insertions(+), 17 deletions(-)

Comments

Kees Cook Feb. 21, 2012, 10:41 p.m. UTC | #1

On Tue, Feb 21, 2012 at 11:30:30AM -0600, Will Drewry wrote:
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 0043b7e..23f1844 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -136,22 +136,18 @@ static void *bpf_load(const void *nr, int off, unsigned int size, void *buf)
>  static u32 seccomp_run_filters(int syscall)
>  {
>  	struct seccomp_filter *f;
> -	u32 ret = SECCOMP_RET_KILL;
>  	static const struct bpf_load_fn fns = {
>  		bpf_load,
>  		sizeof(struct seccomp_data),
>  	};
> +	u32 ret = SECCOMP_RET_ALLOW;
>  	const void *sc_ptr = (const void *)(uintptr_t)syscall;
> -
>  	/*
>  	 * All filters are evaluated in order of youngest to oldest. The lowest
>  	 * BPF return value always takes priority.
>  	 */
> -	for (f = current->seccomp.filter; f; f = f->prev) {
> -		ret = bpf_run_filter(sc_ptr, f->insns, &fns);
> -		if (ret != SECCOMP_RET_ALLOW)
> -			break;
> -	}
> +	for (f = current->seccomp.filter; f; f = f->prev)
> +		ret = min_t(u32, ret, bpf_run_filter(sc_ptr, f->insns, &fns));
>  	return ret;
>  }

I'd like to see this fail closed in the (theoretically impossible, but
why risk it) case of there being no filters at all. Could do something
like this:

	u32 ret = current->seccomp.filter ? SECCOMP_RET_ALLOW : SECCOMP_RET_KILL;

Or, just this, to catch the misbehavior:

	if (unlikely(current->seccomp.filter == NULL))
		return SECCOMP_RET_KILL;

-Kees

Will Drewry Feb. 21, 2012, 10:48 p.m. UTC | #2

On Tue, Feb 21, 2012 at 4:41 PM, Kees Cook <keescook@chromium.org> wrote:
> On Tue, Feb 21, 2012 at 11:30:30AM -0600, Will Drewry wrote:
>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>> index 0043b7e..23f1844 100644
>> --- a/kernel/seccomp.c
>> +++ b/kernel/seccomp.c
>> @@ -136,22 +136,18 @@ static void *bpf_load(const void *nr, int off, unsigned int size, void *buf)
>>  static u32 seccomp_run_filters(int syscall)
>>  {
>>       struct seccomp_filter *f;
>> -     u32 ret = SECCOMP_RET_KILL;
>>       static const struct bpf_load_fn fns = {
>>               bpf_load,
>>               sizeof(struct seccomp_data),
>>       };
>> +     u32 ret = SECCOMP_RET_ALLOW;
>>       const void *sc_ptr = (const void *)(uintptr_t)syscall;
>> -
>>       /*
>>        * All filters are evaluated in order of youngest to oldest. The lowest
>>        * BPF return value always takes priority.
>>        */
>> -     for (f = current->seccomp.filter; f; f = f->prev) {
>> -             ret = bpf_run_filter(sc_ptr, f->insns, &fns);
>> -             if (ret != SECCOMP_RET_ALLOW)
>> -                     break;
>> -     }
>> +     for (f = current->seccomp.filter; f; f = f->prev)
>> +             ret = min_t(u32, ret, bpf_run_filter(sc_ptr, f->insns, &fns));
>>       return ret;
>>  }
>
> I'd like to see this fail closed in the (theoretically impossible, but
> why risk it) case of there being no filters at all. Could do something
> like this:
>
>        u32 ret = current->seccomp.filter ? SECCOMP_RET_ALLOW : SECCOMP_RET_KILL;
>
> Or, just this, to catch the misbehavior:
>
>        if (unlikely(current->seccomp.filter == NULL))
>                return SECCOMP_RET_KILL;

I think the last one makes the most sense to me.  I'll add it and rev the patch.

thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/arch/Kconfig b/arch/Kconfig
index 8150fa2..aa00571 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -203,8 +203,10 @@  config HAVE_ARCH_SECCOMP_FILTER
 	bool
 	help
 	  This symbol should be selected by an architecure if it provides
-	  asm/syscall.h, specifically syscall_get_arguments() and
-	  syscall_get_arch().
+	  asm/syscall.h, specifically syscall_get_arguments(),
+	  syscall_get_arch(), and syscall_set_return_value().  Additionally,
+	  its system call entry path must respect a return value of -1 from
+	  __secure_computing_int() and/or secure_computing().
 
 config SECCOMP_FILTER
 	def_bool y
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 001f883..54ecb61 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -12,13 +12,14 @@ 
 
 /*
  * BPF programs may return a 32-bit value.
- * The bottom 16-bits are reserved for future use.
+ * The bottom 16-bits are for optional related return data.
  * The upper 16-bits are ordered from least permissive values to most.
  *
  * The ordering ensures that a min_t() over composed return values always
  * selects the least permissive choice.
  */
 #define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */
+#define SECCOMP_RET_ERRNO	0x00030000U /* returns an errno */
 #define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */
 
 /* Masks for the return value sections. */
@@ -64,11 +65,17 @@  struct seccomp {
 	struct seccomp_filter *filter;
 };
 
-extern void __secure_computing(int);
-static inline void secure_computing(int this_syscall)
+/*
+ * Direct callers to __secure_computing should be updated as
+ * CONFIG_HAVE_ARCH_SECCOMP_FILTER propagates.
+ */
+extern void __secure_computing(int) __deprecated;
+extern int __secure_computing_int(int);
+static inline int secure_computing(int this_syscall)
 {
 	if (unlikely(test_thread_flag(TIF_SECCOMP)))
-		__secure_computing(this_syscall);
+		return  __secure_computing_int(this_syscall);
+	return 0;
 }
 
 extern long prctl_get_seccomp(void);
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 0043b7e..23f1844 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -136,22 +136,18 @@  static void *bpf_load(const void *nr, int off, unsigned int size, void *buf)
 static u32 seccomp_run_filters(int syscall)
 {
 	struct seccomp_filter *f;
-	u32 ret = SECCOMP_RET_KILL;
 	static const struct bpf_load_fn fns = {
 		bpf_load,
 		sizeof(struct seccomp_data),
 	};
+	u32 ret = SECCOMP_RET_ALLOW;
 	const void *sc_ptr = (const void *)(uintptr_t)syscall;
-
 	/*
 	 * All filters are evaluated in order of youngest to oldest. The lowest
 	 * BPF return value always takes priority.
 	 */
-	for (f = current->seccomp.filter; f; f = f->prev) {
-		ret = bpf_run_filter(sc_ptr, f->insns, &fns);
-		if (ret != SECCOMP_RET_ALLOW)
-			break;
-	}
+	for (f = current->seccomp.filter; f; f = f->prev)
+		ret = min_t(u32, ret, bpf_run_filter(sc_ptr, f->insns, &fns));
 	return ret;
 }
 
@@ -304,6 +300,13 @@  static int mode1_syscalls_32[] = {
 
 void __secure_computing(int this_syscall)
 {
+	/* Filter calls should never use this function. */
+	BUG_ON(current->seccomp.mode == SECCOMP_MODE_FILTER);
+	__secure_computing_int(this_syscall);
+}
+
+int __secure_computing_int(int this_syscall)
+{
 	int mode = current->seccomp.mode;
 	int *syscall;
 
@@ -316,15 +319,28 @@  void __secure_computing(int this_syscall)
 #endif
 		do {
 			if (*syscall == this_syscall)
-				return;
+				return 0;
 		} while (*++syscall);
 		break;
 #ifdef CONFIG_SECCOMP_FILTER
-	case SECCOMP_MODE_FILTER:
-		if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW)
-			return;
+	case SECCOMP_MODE_FILTER: {
+		u32 action = seccomp_run_filters(this_syscall);
+		switch (action & SECCOMP_RET_ACTION) {
+		case SECCOMP_RET_ERRNO:
+			/* Set the low-order 16-bits as a errno. */
+			syscall_set_return_value(current, task_pt_regs(current),
+						 -(action & SECCOMP_RET_DATA),
+						 0);
+			return -1;
+		case SECCOMP_RET_ALLOW:
+			return 0;
+		case SECCOMP_RET_KILL:
+		default:
+			break;
+		}
 		seccomp_filter_log_failure(this_syscall);
 		break;
+	}
 #endif
 	default:
 		BUG();
@@ -335,6 +351,7 @@  void __secure_computing(int this_syscall)
 #endif
 	audit_seccomp(this_syscall);
 	do_exit(SIGKILL);
+	return -1;	/* never reached */
 }
 
 long prctl_get_seccomp(void)

[v10,06/11] seccomp: add SECCOMP_RET_ERRNO

Commit Message

Comments

Patch