Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality

[Chris Metcalf]

On 3/9/2016 4:07 PM, Andy Lutomirski wrote:
> On Wed, Mar 9, 2016 at 1:05 PM, Chris Metcalf <cmetcalf@xxxxxxxxxxxx> wrote:
> > On 3/9/2016 3:58 PM, Andy Lutomirski wrote:
> > > > My preference would be not to have to require all task-isolation users
> > > > > to also figure out all the complexities of creating BPF programs, so
> > > > > my intention is to have task isolation automatically generate a BPF
> > > > > program (just allowing prctl/exit/exit_group and failing everything
> > > > > else with SIGSYS).  To support having it work this way, I open up
> > > > > the seccomp stuff a little so that kernel clients can effectively
> > > > > push/pop a BPF program into seccomp:
> > > That sounds like a great use case for the new libtaskisolation that
> > > someone is surely writing:)
> >
> > Happily, task isolation is so simple an API that all that is needed is a
> > prctl().
> >
> > ... Unless somehow a requirement to inflict a huge blob of eBPF into the
> > kernel just to use task isolation safely is added, of course :-)
> BPF, not eBPF.  Also, it's a tiny blob.
>
> And this still has nothing to do with using it safely.  This has to do
> with catching your own bugs.

Fair enough, I suppose.  But I was exaggerating for effect: I still think that
this is something that can be easily hidden under the prctl() to avoid adding
a noticeable burden on users who want to be able to catch bugs.  (And
those bugs can come from third-party libraries in complex code; the amount
of code in a task-isolation driver is not always easily audited, so having this
kind of a backstop can be pretty useful.)

If you think the basic direction of the previous patch is sound, I'll spin
up the code that hooks it into task isolation, and we can see more directly
whether the tradeoff of a bit more code in the kernel seems worth it.

--
Chris Metcalf, Mellanox Technologies
http://www.mellanox.com