[PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole
Ingo Molnar
mingo at elte.hu
Thu May 7 20:11:29 EST 2009
* Nicholas Miell <nmiell at comcast.net> wrote:
> On Wed, 2009-05-06 at 15:21 -0700, Markus Gutschke (顧孟勤) wrote:
> > On Wed, May 6, 2009 at 15:13, Ingo Molnar <mingo at elte.hu> wrote:
> > > doing a (per arch) bitmap of harmless syscalls and replacing the
> > > mode1_syscalls[] check with that in kernel/seccomp.c would be a
> > > pretty reasonable extension. (.config controllable perhaps, for
> > > old-style-seccomp)
> > >
> > > It would probably be faster than the current loop over
> > > mode1_syscalls[] as well.
> >
> > This would be a great option to improve performance of our sandbox. I
> > can detect the availability of the new kernel API dynamically, and
> > then not intercept the bulk of the system calls. This would allow the
> > sandbox to work both with existing and with newer kernels.
> >
> > We'll post a kernel patch for discussion in the next few days,
> >
>
> I suspect the correct thing to do would be to leave seccomp mode 1
> alone and introduce a mode 2 with a less restricted set of system
> calls -- the interface was designed to be extended in this way,
> after all.
Yes, that is what i alluded to above via the '.config controllable'
aspect.
Mode 2 could be implemented like this: extend prctl_set_seccomp()
with a bitmap pointer, and copy it to a per task seccomp context
structure.
a bitmap for 300 syscalls takes only about 40 bytes.
Please take care to implement nesting properly: if a seccomp context
does a seccomp call (which mode 2 could allow), then the resulting
bitmap should be the logical-AND of the parent and child bitmaps.
There's no reason why seccomp couldnt be used in hiearachy of
sandboxes, in a gradually less permissive fashion.
Ingo
More information about the Linuxppc-dev
mailing list