mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Tycho Andersen <tycho.andersen@canonical.com>
Cc: Kees Cook <keescook@chromium.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Will Drewry <wad@chromium.org>, Oleg Nesterov <oleg@redhat.com>,
	Andy Lutomirski <luto@amacapital.net>,
	Pavel Emelyanov <xemul@parallels.com>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	LKML <linux-kernel@vger.kernel.org>,
	Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH 1/6] ebpf: add a seccomp program type
Date: Wed, 9 Sep 2015 09:07:45 -0700	[thread overview]
Message-ID: <20150909160744.GA3526@Alexeis-MBP-2.westell.com> (raw)
In-Reply-To: <20150909155035.GA26679@smitten>

On Wed, Sep 09, 2015 at 09:50:35AM -0600, Tycho Andersen wrote:
> > >
> > > That's effectively what this patch does; when the eBPF is loaded via
> > > bpf(), you tell bpf() you want a BPF_PROG_TYPE_SECCOMP, and it invokes
> > > this validation/translation code, i.e. it uses
> > > seccomp_is_valid_access() to check and make sure access are aligned
> > > and inside struct seccomp_data.
> > 
> > What about limiting the possible instructions?
> 
> I totally overlooked this. A quick glance through the eBPF verifier
> makes me think that we can just add another function to struct
> bpf_verifier_ops called valid_instruction, which shouldn't be too
> hard. Perhaps a more interesting question is what to allow:
> 
> BPF_LD(X) and BPF_ST(X): it looks like all types of stores are
>   allowed, and only BPF_MEM and BPF_IMM loads are allowed; I think
>   these can stay the same. BPF_XADD is new in eBPF, and I don't think
>   we need it for seccomp (yet), since we don't have any shared memory
>   via maps.
> 
> BPF_ALU: It looks like we're also not allowing regular BPF_ALU
>   instruction BPF_MOD; eBPF adds a few ones: BPF_MOV (register move),
>   BPF_ARSH (sign extended right shift), and BPF_END (endianness
>   conversion), wich I think should all be safe. In particular, we need
>   to allow BPF_MOV at least, since that's how the converter implements
>   BPF_MISC | BPF_TAX from classic.
> 
> BPF_ALU64: I think we can safely allow all these as above, since
>   they're just the 64-bit versions.
> 
> BPF_JMP: eBPF adds BPF_JNE, BPF_JSGT, BPF_JSGE, BPF_CALL, and
>   BPF_EXIT, which I think all should be safe (except maybe BPF_CALL
>   since we're not allowing functions really). Again we have to allow
>   one of the new eBPF codes, as the converter implements BPF_RET as
>   BPF_JMP | BPF_EXIT.
> 
> Thoughts?

Please do not add any per-instruction hacks. None of them are
necessary. Classic had to do extra ugly checks in seccomp only
because verifier wasn't flexible enough.
If you don't want to see any BPF_CALL in seccomp, just have
empty get_func_proto() callback for BPF_PROG_TYPE_SECCOMP
and verifier will reject all calls.
Currently we have only two non-generic instrucitons
LD_ABS and LD_IND that are avaialable for sockets/TC only,
because these are legacy instructions and we had to make
exceptions for them.


  reply	other threads:[~2015-09-09 16:07 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-04 16:04 c/r of seccomp filters via underlying eBPF Tycho Andersen
2015-09-04 16:04 ` [PATCH 1/6] ebpf: add a seccomp program type Tycho Andersen
2015-09-04 20:17   ` Alexei Starovoitov
2015-09-04 21:09     ` Tycho Andersen
2015-09-04 20:34   ` Kees Cook
2015-09-04 21:06     ` Tycho Andersen
2015-09-04 21:08       ` Kees Cook
2015-09-09 15:50         ` Tycho Andersen
2015-09-09 16:07           ` Alexei Starovoitov [this message]
2015-09-09 16:09             ` Daniel Borkmann
2015-09-09 16:37               ` Kees Cook
2015-09-09 16:52                 ` Alexei Starovoitov
2015-09-09 17:27                   ` Kees Cook
2015-09-09 17:31                     ` Tycho Andersen
2015-09-09 16:07           ` Daniel Borkmann
2015-09-04 21:50   ` Andy Lutomirski
2015-09-09 16:13     ` Daniel Borkmann
2015-09-04 16:04 ` [PATCH 2/6] seccomp: make underlying bpf ref counted as well Tycho Andersen
2015-09-04 21:53   ` Andy Lutomirski
2015-09-04 16:04 ` [PATCH 3/6] ebpf: add a way to dump an eBPF program Tycho Andersen
2015-09-04 20:17   ` Kees Cook
2015-09-04 20:45     ` Tycho Andersen
2015-09-04 20:50       ` Kees Cook
2015-09-04 20:58         ` Alexei Starovoitov
2015-09-04 21:00           ` Tycho Andersen
2015-09-04 21:48       ` Andy Lutomirski
2015-09-04 22:28         ` Tycho Andersen
2015-09-04 23:08           ` Andy Lutomirski
2015-09-05  0:27             ` Tycho Andersen
2015-09-09 22:34               ` Tycho Andersen
2015-09-09 23:44                 ` Andy Lutomirski
2015-09-10  0:13                   ` Tycho Andersen
2015-09-10  0:44                     ` Andy Lutomirski
2015-09-10  0:58                       ` Tycho Andersen
2015-09-04 23:27           ` Kees Cook
2015-09-05  0:08             ` Andy Lutomirski
2015-09-04 20:27   ` Alexei Starovoitov
2015-09-04 20:42     ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 4/6] seccomp: add a way to access filters via bpf fds Tycho Andersen
2015-09-04 20:26   ` Kees Cook
2015-09-04 20:29     ` Alexei Starovoitov
2015-09-04 20:58       ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 5/6] seccomp: add a way to attach a filter via eBPF fd Tycho Andersen
2015-09-04 20:40   ` Alexei Starovoitov
2015-09-04 20:41   ` Kees Cook
2015-09-05  7:13     ` Michael Kerrisk (man-pages)
2015-09-08 13:40       ` Tycho Andersen
2015-09-09  0:07         ` Kees Cook
2015-09-09 14:47           ` Tycho Andersen
2015-09-09 15:14             ` Alexei Starovoitov
2015-09-09 15:55               ` Tycho Andersen
2015-09-04 16:04 ` [PATCH 6/6] ebpf: allow BPF_REG_X in src_reg conditional jumps Tycho Andersen
2015-09-04 21:06   ` Alexei Starovoitov
2015-09-04 22:43     ` Tycho Andersen
2015-09-05  4:12       ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150909160744.GA3526@Alexeis-MBP-2.westell.com \
    --to=alexei.starovoitov@gmail.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=netdev@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=serge.hallyn@ubuntu.com \
    --cc=tycho.andersen@canonical.com \
    --cc=wad@chromium.org \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome