public inbox for [email protected]
 help / color / mirror / Atom feed
From: Stefano Garzarella <[email protected]>
To: Kees Cook <[email protected]>
Cc: Pavel Begunkov <[email protected]>,
	Miklos Szeredi <[email protected]>,
	Matthew Wilcox <[email protected]>,
	Andy Lutomirski <[email protected]>,
	Jann Horn <[email protected]>,
	Christian Brauner <[email protected]>,
	[email protected], [email protected],
	Linux API <[email protected]>,
	[email protected], [email protected],
	Michael Kerrisk <[email protected]>,
	Stefan Hajnoczi <[email protected]>
Subject: Re: strace of io_uring events?
Date: Thu, 16 Jul 2020 15:14:04 +0200	[thread overview]
Message-ID: <20200716131404.bnzsaarooumrp3kx@steredhat> (raw)
In-Reply-To: <202007151511.2AA7718@keescook>

+Cc Stefan Hajnoczi

On Wed, Jul 15, 2020 at 04:07:00PM -0700, Kees Cook wrote:
> Earlier Andy Lutomirski wrote:
> > Let’s add some seccomp folks. We probably also want to be able to run
> > seccomp-like filters on io_uring requests. So maybe io_uring should call into
> > seccomp-and-tracing code for each action.
> 
> Okay, I'm finally able to spend time looking at this. And thank you to
> the many people that CCed me into this and earlier discussions (at least
> Jann, Christian, and Andy).
> 

[...]

> 
> Speaking to Stefano's proposal[1]:
> 
> - There appear to be three classes of desired restrictions:
>   - opcodes for io_uring_register() (which can be enforced entirely with
>     seccomp right now).
>   - opcodes from SQEs (this _could_ be intercepted by seccomp, but is
>     not currently written)
>   - opcodes of the types of restrictions to restrict... for making sure
>     things can't be changed after being set? seccomp already enforces
>     that kind of "can only be made stricter"

In addition we want to limit the SQEs to use only the registered fd and buffers.

> 
> - Credentials vs no_new_privs needs examination (more on this later)
> 
> So, I think, at least for restrictions, seccomp should absolutely be
> the place to get this work done. It already covers 2 of the 3 points in
> the proposal.

Thanks for your feedback, I just sent v2 before I read this e-mail.

Do you think it's better to have everything in seccomp instead of adding
the restrictions in io_uring (the patch isn't very big)?

With seccomp, would it be possible to have different restrictions for two
instances of io_uring in the same process?
I suppose it should be possible using BPF filters.

Thanks,
Stefano

> 
> Solving the mapping of seccomp interception types into CQEs (or anything
> more severe) will likely inform what it would mean to map ptrace events
> to CQEs. So, I think they're related, and we should get seccomp hooked
> up right away, and that might help us see how (if) ptrace should be
> attached.
> 
> Specifically for seccomp, I see at least the following design questions:
> 
> - How does no_new_privs play a role in the existing io_uring credential
>   management? Using _any_ kind of syscall-effective filtering, whether
>   it's seccomp or Stefano's existing proposal, needs to address the
>   potential inheritable restrictions across privilege boundaries (which is
>   what no_new_privs tries to eliminate). In regular syscall land, this is
>   an issue when a filter follows a process through setuid via execve()
>   and it gains privileges that now the filter-creator can trick into
>   doing weird stuff -- io_uring has a concept of alternative credentials
>   so I have to ask about it. (I don't *think* there would be a path to
>   install a filter before gaining privilege, but I likely just
>   need to do my homework on the io_uring internals. Regardless,
>   use of seccomp by io_uring would need to have this issue "solved"
>   in the sense that it must be "safe" to filter io_uring OPs, from a
>   privilege-boundary-crossing perspective.
> 
> - From which task perspective should filters be applied? It seems like it
>   needs to follow the io_uring personalities, as that contains the
>   credentials. (This email is a brain-dump so far -- I haven't gone to
>   look to see if that means io_uring is literally getting a reference to
>   struct cred; I assume so.) Seccomp filters are attached to task_struct.
>   However, for v5.9, seccomp will gain a more generalized get/put system
>   for having filters attached to the SECCOMP_RET_USER_NOTIF fd. Adding
>   more get/put-ers for some part of the io_uring context shouldn't
>   be hard.
> 
> - How should seccomp return values be applied? Three seem okay:
> 	SECCOMP_RET_ALLOW: do SQE action normally
> 	SECCOMP_RET_LOG: do SQE action, log via seccomp
> 	SECCOMP_RET_ERRNO: skip actions in SQE and pass errno to CQE
>   The rest not so much:
> 	SECCOMP_RET_TRAP: can't send SIGSYS anywhere sane?
> 	SECCOMP_RET_TRACE: no tracer, can't send SIGSYS?
> 	SECCOMP_RET_USER_NOTIF: can't do user_notif rewrites?
> 	SECCOMP_RET_KILL_THREAD: kill which thread?
> 	SECCOMP_RET_KILL_PROCESS: kill which thread group?
>   If TRAP, TRACE, and USER_NOTIF need to be "upgraded" to KILL_THREAD,
>   what does KILL_THREAD mean? Does it really mean "shut down the entire
>   SQ?" Does it mean kill the worker thread? Does KILL_PROCESS mean kill
>   all the tasks with an open mapping for the SQ?
> 
> Anyway, I'd love to hear what folks think, but given the very direct
> mapping from SQE OPs to syscalls, I really think seccomp needs to be
> inserted in here somewhere to maintain any kind of sensible reasoning
> about syscall filtering.
> 
> -Kees
> 
> [1] https://lore.kernel.org/lkml/[email protected]/
> 
> -- 
> Kees Cook
> 


  reply	other threads:[~2020-07-16 13:14 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-15 11:12 strace of io_uring events? Miklos Szeredi
2020-07-15 14:35 ` Andy Lutomirski
2020-07-15 17:11   ` Matthew Wilcox
2020-07-15 19:42     ` Pavel Begunkov
2020-07-15 20:09       ` Miklos Szeredi
2020-07-15 20:20         ` Pavel Begunkov
2020-07-15 23:07           ` Kees Cook
2020-07-16 13:14             ` Stefano Garzarella [this message]
2020-07-16 15:12               ` Kees Cook
2020-07-17  8:01                 ` Stefano Garzarella
2020-07-21 15:27                   ` Andy Lutomirski
2020-07-21 15:31                     ` Jens Axboe
2020-07-21 17:23                       ` Andy Lutomirski
2020-07-21 17:30                         ` Jens Axboe
2020-07-21 17:44                           ` Andy Lutomirski
2020-07-21 18:39                             ` Jens Axboe
2020-07-21 19:44                               ` Andy Lutomirski
2020-07-21 19:48                                 ` Jens Axboe
2020-07-21 19:56                                 ` Andres Freund
2020-07-21 19:37                         ` Andres Freund
2020-07-21 15:58                     ` Stefano Garzarella
2020-07-23 10:39                       ` Stefan Hajnoczi
2020-07-23 13:37                       ` Colin Walters
2020-07-24  7:25                         ` Stefano Garzarella
2020-07-16 13:17             ` Aleksa Sarai
2020-07-16 15:19               ` Kees Cook
2020-07-17  8:17               ` Cyril Hrubis
2020-07-16 16:24             ` Andy Lutomirski
2020-07-16  0:12     ` tytso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200716131404.bnzsaarooumrp3kx@steredhat \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox