On Fri, Jul 11, 2014 at 12:36 PM, Paul Moore <pmoore(a)redhat.com> wrote:
Anyway, getting back to the idea I mentioned earlier ... as many of
you may
know, Kees (added to the CC line) is working on some seccomp filter
improvements which will result in a new seccomp syscall. Perhaps one way
forward is to preserve everything as it is currently with the prctl()
interface, but with the new seccomp() based interface we fixup x32 and use the
new AUDIT_ARCH_X32 token? It might result in a bit of ugliness in some of the
kernel, but I don't think it would be too bad, and I think it would address
both our concerns.
Adding AUDIT_ARCH_X32: yes please. (On that note, the comment "/* Both
x32 and x86_64 are considered "64-bit". */" should be changed...)
Just so I understand: currently x86_64 and x32 both present as
AUDIT_ARCH_X86_64. The x32 syscalls are seen as in a different range
(due to the set high bit).
The seccomp used in Chrome, Chrome OS, and vsftpd should all only do
whitelisting by both arch and syscall, so adding AUDIT_ARCH_X32
without setting __X32_SYSCALL_BIT would be totally fine (it would
catch the arch instead of the syscall). This sounds similar to how
libseccomp is doing things, so these should be fine.
The only project I know of doing blacklisting is lxc, and Eric's
example looks a lot like a discussion I saw with lxc and init_module.
:) So it sounds like we can get this right there.
I'd like to avoid carrying a delta on filter logic based on the prctl
vs syscall entry. Can we find any userspace filters being used that a
"correct" fix would break? (If so, then yes, we'll need to do this
proposed "via prctl or via syscall?" change.)
-Kees
--
Kees Cook
Chrome OS Security