Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter isand how it works.

From: Steven Rostedt
Date: Wed May 04 2011 - 14:46:31 EST

Next message: Christoph Hellwig: "Re: [PATCH v3 0/3] data integrity: Stabilize pages during writebackfor ext4"
Previous message: H Hartley Sweeten: "RE: [PATCH 1/1] Staging: hv: Add the necessary dependencies tohyperv Kconfig"
In reply to: Frederic Weisbecker: "Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter isand how it works."
Next in thread: Will Drewry: "Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is andhow it works."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2011-05-04 at 20:30 +0200, Frederic Weisbecker wrote:
> On Wed, May 04, 2011 at 02:23:02PM -0400, Steven Rostedt wrote:
> > On Wed, 2011-05-04 at 19:52 +0200, Frederic Weisbecker wrote:
> >
> > > > It's certainly doable, but it will
> > > > mean that we may be logically storing something like:
> > > >
> > > > __NR_foo: (a == 1 || a == 2), applied
> > > > __NR_foo: b == 2, not applied
> > > > __NR_foo: c == 3, not applied
> > > >
> > > > after
> > > >
> > > > SECCOMP_FILTER_SET, __NR_foo, "a == 1 || a == 2"
> > > > SECCOMP_FILTER_APPLY
> > > > SECCOMP_FILTER_SET, __NR_foo, "b == 2"
> > > > SECCOMP_FILTER_SET, __NR_foo, "c == 3"
> > >
> > > No, the c == 3 would override b == 2.
> >
> > I honestly hate the "override" mode. I like that SETs are or'd among
> > each other and an APPLY is a "commit"; meaning that you can only limit
> > it further, but can not extend it (an explicit &&)
>
> I'm confused with what you just said...
>
> Somehow I could understand it that way:
>
> SECCOMP_FILTER_SET, __NR_foo, "a == 1"
> SECCOMP_FILTER_SET, __NR_foo, "a == 2"
> SECCOMP_FILTER_APPLY
> SECCOMP_FILTER_SET, __NR_foo, "b == 1"
>
> Would produce:
>
> "(a == 1 || a == 2) && b == 1"

No, it would produce:

(a == 1 || a == 2)

The b == 1 will not be added until the next apply.

>
> That makes a pretty confusing behaviour for users I think.

Not really, if it is documented well. Or we can call it:

SECCOMP_FILTER_SET_OR and SECCOMP_FILTER_APPLY_AND

to remove the ambiguity. The reason is actually quite simple. Before you
do an apply, you can modify it to whatever you want. But once you do an
apply, you just limited yourself. An apply can not be reversed.

>
> >
> > >
> > > > In that case, would a call to sys_foo even be tested against the
> > > > non-applied constraints of b==2 or c==3?
> > >
> > > No, not as long as it's not applied.
> > >
> > > > Or would the call to set "c
> > > > == 3" replace the "b == 2" entry. I'm not sure I see that the benefit
> > > > exceeds the ambiguity that might introduce.
> > >
> > > The rationale behind it is that as long as you haven't applied your filter,
> > > you should be able to override it.
> >
> > We need a "UNSET" (I like that better than DROP).
>
> What about a complete erase (RESET) of the temporary filter? Like I explained below
> from my previous mail.

What is a temporary filter? And a RESET could be there too to just
remove all sets that are pending.

I was thinking that we add "SETS" which the kernel can verify are
correct and let the user know at the time of the command if it is valid.
But these sets are not actually implemented until an APPLY is hit.

-- Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: [PATCH v3 0/3] data integrity: Stabilize pages during writebackfor ext4"
Previous message: H Hartley Sweeten: "RE: [PATCH 1/1] Staging: hv: Add the necessary dependencies tohyperv Kconfig"
In reply to: Frederic Weisbecker: "Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter isand how it works."
Next in thread: Will Drewry: "Re: [PATCH 5/7] seccomp_filter: Document what seccomp_filter is andhow it works."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]