Re: [PATCH v2 2/2] rusage: allow 64-bit times ru_utime/ru_stime

From: Ingo Molnar
Date: Mon Jun 25 2018 - 05:14:50 EST



* Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:

> Ingo Molnar <mingo@xxxxxxxxxx> writes:
>
> > * Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> >
> >> The trouble with attributes is that means you can't filter your system
> >> call arguments with seccomp. [...]
> >
> > There's nothing keeping seccomp from securely fetching those arguments and
> > extending filtering to them as well ...
> >
> > Allowing that would make sense for a lot of other system calls as
> > well.
>
> Possibly. The challenge is that if the fetch for the kernel to use
> those arguments is different from the fetch of seccomp to test those
> arguments you have a time of test vs time of use race.

Those fetched values should obviously then be used to call permitted system calls.

> Given the location of the seccomp hook at the kernel user space border
> there is no easy way for seccomp to share the fetch with the system
> call itself.
>
> So I don't see how seccomp could perform the fetch securely.

Looks like more of a seccomp mis-design/mis-implementation than some fundamental
problem.

Mis-designed security features should not hinder system call design.

Thanks,

Ingo