From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Tycho Andersen <tycho.andersen@canonical.com>
Cc: Kees Cook <keescook@chromium.org>,
Alexei Starovoitov <ast@kernel.org>,
Will Drewry <wad@chromium.org>, Oleg Nesterov <oleg@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
Pavel Emelyanov <xemul@parallels.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Daniel Borkmann <daniel@iogearbox.net>,
LKML <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH 1/6] ebpf: add a seccomp program type
Date: Wed, 9 Sep 2015 09:07:45 -0700 [thread overview]
Message-ID: <20150909160744.GA3526@Alexeis-MBP-2.westell.com> (raw)
In-Reply-To: <20150909155035.GA26679@smitten>
On Wed, Sep 09, 2015 at 09:50:35AM -0600, Tycho Andersen wrote:
> > >
> > > That's effectively what this patch does; when the eBPF is loaded via
> > > bpf(), you tell bpf() you want a BPF_PROG_TYPE_SECCOMP, and it invokes
> > > this validation/translation code, i.e. it uses
> > > seccomp_is_valid_access() to check and make sure access are aligned
> > > and inside struct seccomp_data.
> >
> > What about limiting the possible instructions?
>
> I totally overlooked this. A quick glance through the eBPF verifier
> makes me think that we can just add another function to struct
> bpf_verifier_ops called valid_instruction, which shouldn't be too
> hard. Perhaps a more interesting question is what to allow:
>
> BPF_LD(X) and BPF_ST(X): it looks like all types of stores are
> allowed, and only BPF_MEM and BPF_IMM loads are allowed; I think
> these can stay the same. BPF_XADD is new in eBPF, and I don't think
> we need it for seccomp (yet), since we don't have any shared memory
> via maps.
>
> BPF_ALU: It looks like we're also not allowing regular BPF_ALU
> instruction BPF_MOD; eBPF adds a few ones: BPF_MOV (register move),
> BPF_ARSH (sign extended right shift), and BPF_END (endianness
> conversion), wich I think should all be safe. In particular, we need
> to allow BPF_MOV at least, since that's how the converter implements
> BPF_MISC | BPF_TAX from classic.
>
> BPF_ALU64: I think we can safely allow all these as above, since
> they're just the 64-bit versions.
>
> BPF_JMP: eBPF adds BPF_JNE, BPF_JSGT, BPF_JSGE, BPF_CALL, and
> BPF_EXIT, which I think all should be safe (except maybe BPF_CALL
> since we're not allowing functions really). Again we have to allow
> one of the new eBPF codes, as the converter implements BPF_RET as
> BPF_JMP | BPF_EXIT.
>
> Thoughts?
Please do not add any per-instruction hacks. None of them are
necessary. Classic had to do extra ugly checks in seccomp only
because verifier wasn't flexible enough.
If you don't want to see any BPF_CALL in seccomp, just have
empty get_func_proto() callback for BPF_PROG_TYPE_SECCOMP
and verifier will reject all calls.
Currently we have only two non-generic instrucitons
LD_ABS and LD_IND that are avaialable for sockets/TC only,
because these are legacy instructions and we had to make
exceptions for them.
next prev parent reply other threads:[~2015-09-09 16:07 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-04 16:04 c/r of seccomp filters via underlying eBPF Tycho Andersen
2015-09-04 16:04 ` [PATCH 1/6] ebpf: add a seccomp program type Tycho Andersen
2015-09-04 20:17 ` Alexei Starovoitov
2015-09-04 21:09 ` Tycho Andersen
2015-09-04 20:34 ` Kees Cook
2015-09-04 21:06 ` Tycho Andersen
2015-09-04 21:08 ` Kees Cook
2015-09-09 15:50 ` Tycho Andersen
2015-09-09 16:07 ` Alexei Starovoitov [this message]
2015-09-09 16:09 ` Daniel Borkmann
2015-09-09 16:37 ` Kees Cook
2015-09-09 16:52 ` Alexei Starovoitov
2015-09-09 17:27 ` Kees Cook
2015-09-09 17:31 ` Tycho Andersen
2015-09-09 16:07 ` Daniel Borkmann
2015-09-04 21:50 ` Andy Lutomirski
2015-09-09 16:13 ` Daniel Borkmann
2015-09-04 16:04 ` [PATCH 2/6] seccomp: make underlying bpf ref counted as well Tycho Andersen
2015-09-04 21:53 ` Andy Lutomirski
2015-09-04 16:04 ` [PATCH 3/6] ebpf: add a way to dump an eBPF program Tycho Andersen
2015-09-04 20:17 ` Kees Cook
2015-09-04 20:45 ` Tycho Andersen
2015-09-04 20:50 ` Kees Cook
2015-09-04 20:58 ` Alexei Starovoitov
2015-09-04 21:00 ` Tycho Andersen
2015-09-04 21:48 ` Andy Lutomirski
2015-09-04 22:28 ` Tycho Andersen
2015-09-04 23:08 ` Andy Lutomirski
2015-09-05 0:27 ` Tycho Andersen
2015-09-09 22:34 ` Tycho Andersen
2015-09-09 23:44 ` Andy Lutomirski
2015-09-10 0:13 ` Tycho Andersen
2015-09-10 0:44 ` Andy Lutomirski
2015-09-10 0:58 ` Tycho Andersen
2015-09-04 23:27 ` Kees Cook
2015-09-05 0:08 ` Andy Lutomirski
2015-09-04 20:27 ` Alexei Starovoitov
2015-09-04 20:42 ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 4/6] seccomp: add a way to access filters via bpf fds Tycho Andersen
2015-09-04 20:26 ` Kees Cook
2015-09-04 20:29 ` Alexei Starovoitov
2015-09-04 20:58 ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 5/6] seccomp: add a way to attach a filter via eBPF fd Tycho Andersen
2015-09-04 20:40 ` Alexei Starovoitov
2015-09-04 20:41 ` Kees Cook
2015-09-05 7:13 ` Michael Kerrisk (man-pages)
2015-09-08 13:40 ` Tycho Andersen
2015-09-09 0:07 ` Kees Cook
2015-09-09 14:47 ` Tycho Andersen
2015-09-09 15:14 ` Alexei Starovoitov
2015-09-09 15:55 ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 6/6] ebpf: allow BPF_REG_X in src_reg conditional jumps Tycho Andersen
2015-09-04 21:06 ` Alexei Starovoitov
2015-09-04 22:43 ` Tycho Andersen
2015-09-05 4:12 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150909160744.GA3526@Alexeis-MBP-2.westell.com \
--to=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tycho.andersen@canonical.com \
--cc=wad@chromium.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome