Re: [PATCH] seccomp: dump core when using SECCOMP_RET_KILL

[Kees Cook]

On Thu, Jan 19, 2017 at 8:28 PM, Mike Frysinger <vapier@xxxxxxxxxx> wrote:
> From: Mike Frysinger <vapier@xxxxxxxxxxxx>
>
> The SECCOMP_RET_KILL mode is documented as immediately killing the
> process as if a SIGSYS had been sent and not caught (similar to a
> SIGKILL).  However, a SIGSYS is documented as triggering a coredump
> which does not happen today.
>
> This has the advantage of being able to more easily debug a process
> that fails a seccomp filter.  Today, most apps need to recompile and
> change their filter in order to get detailed info out, or manually run
> things through strace, or enable detailed kernel auditing.  Now we get
> coredumps that fit into existing system-wide crash reporting setups.
>
> From a security pov, this shouldn't be a problem.  Unhandled signals
> can already be sent externally which trigger a coredump independent of
> the status of the seccomp filter.  The act of dumping core itself does
> not cause change in execution of the program.
>
> URL: https://crbug.com/676357
> Signed-off-by: Mike Frysinger <vapier@xxxxxxxxxxxx>
> Acked-by: Jorge Lucangeli Obes <jorgelo@xxxxxxxxxxxx>

Yup, I think this is fine. The additional kernel code executed before
the do_exit() is relatively limited, and is equivalent to leaving
kill(self, SIGSEGV) exposed in a seccomp filter. Setting an RLIMIT is
also sufficient to block the core generation, so really paranoid
environments can still do that.

The forwarded ack stands:

Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

James, can you add this to your tree?

-Kees

-- 
Kees Cook
Nexus Security