Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality

From: Chris Metcalf
Date: Wed Mar 09 2016 - 16:13:54 EST

On 3/9/2016 4:07 PM, Andy Lutomirski wrote:
On Wed, Mar 9, 2016 at 1:05 PM, Chris Metcalf <cmetcalf@xxxxxxxxxxxx> wrote:
On 3/9/2016 3:58 PM, Andy Lutomirski wrote:
My preference would be not to have to require all task-isolation users
to also figure out all the complexities of creating BPF programs, so
my intention is to have task isolation automatically generate a BPF
program (just allowing prctl/exit/exit_group and failing everything
else with SIGSYS). To support having it work this way, I open up
the seccomp stuff a little so that kernel clients can effectively
push/pop a BPF program into seccomp:
That sounds like a great use case for the new libtaskisolation that
someone is surely writing:)

Happily, task isolation is so simple an API that all that is needed is a

... Unless somehow a requirement to inflict a huge blob of eBPF into the
kernel just to use task isolation safely is added, of course :-)
BPF, not eBPF. Also, it's a tiny blob.

And this still has nothing to do with using it safely. This has to do
with catching your own bugs.

Fair enough, I suppose. But I was exaggerating for effect: I still think that
this is something that can be easily hidden under the prctl() to avoid adding
a noticeable burden on users who want to be able to catch bugs. (And
those bugs can come from third-party libraries in complex code; the amount
of code in a task-isolation driver is not always easily audited, so having this
kind of a backstop can be pretty useful.)

If you think the basic direction of the previous patch is sound, I'll spin
up the code that hooks it into task isolation, and we can see more directly
whether the tradeoff of a bit more code in the kernel seems worth it.

Chris Metcalf, Mellanox Technologies