Re: [PATCH v2 2/2] rusage: allow 64-bit times ru_utime/ru_stime
From: Ingo Molnar
Date: Mon Jun 25 2018 - 05:14:50 EST
* Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> Ingo Molnar <mingo@xxxxxxxxxx> writes:
>
> > * Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> >
> >> The trouble with attributes is that means you can't filter your system
> >> call arguments with seccomp. [...]
> >
> > There's nothing keeping seccomp from securely fetching those arguments and
> > extending filtering to them as well ...
> >
> > Allowing that would make sense for a lot of other system calls as
> > well.
>
> Possibly. The challenge is that if the fetch for the kernel to use
> those arguments is different from the fetch of seccomp to test those
> arguments you have a time of test vs time of use race.
Those fetched values should obviously then be used to call permitted system calls.
> Given the location of the seccomp hook at the kernel user space border
> there is no easy way for seccomp to share the fetch with the system
> call itself.
>
> So I don't see how seccomp could perform the fetch securely.
Looks like more of a seccomp mis-design/mis-implementation than some fundamental
problem.
Mis-designed security features should not hinder system call design.
Thanks,
Ingo