Re: [PATCH v3 1/2] kernel: Implement selective syscall userspace redirection

[Kees Cook]

On Sun, Jul 12, 2020 at 12:45:15AM -0400, Gabriel Krisman Bertazi wrote:
> Introduce a mechanism to quickly disable/enable syscall handling for a
> specific process and redirect to userspace via SIGSYS.  This is useful
> for processes with parts that require syscall redirection and parts that
> don't, but who need to perform this boundary crossing really fast,
> without paying the cost of a system call to reconfigure syscall handling
> on each boundary transition.  This is particularly important for Windows
> games running over Wine.
> 
> The proposed interface looks like this:
> 
>   prctl(PR_SET_SYSCALL_USER_DISPATCH, <op>, <start_addr>, <end_addr>, [selector])
> 
> The range [<start_addr>,<end_addr>] is a part of the process memory map
> that is allowed to by-pass the redirection code and dispatch syscalls
> directly, such that in fast paths a process doesn't need to disable the
> trap nor the kernel has to check the selector.  This is essential to
> return from SIGSYS to a blocked area without triggering another SIGSYS
> from rt_sigreturn.
> 
> selector is an optional pointer to a char-sized userspace memory region
> that has a key switch for the mechanism. This key switch is set to
> either PR_SYS_DISPATCH_ON, PR_SYS_DISPATCH_OFF to enable and disable the
> redirection without calling the kernel.
> 
> The feature is meant to be set per-thread and it is disabled on
> fork/clone/execv.
> 
> Internally, this doesn't add overhead to the syscall hot path, and it
> requires very little per-architecture support.  I avoided using seccomp,
> even though it duplicates some functionality, due to previous feedback
> that maybe it shouldn't mix with seccomp since it is not a security
> mechanism.  And obviously, this should never be considered a security
> mechanism, since any part of the program can by-pass it by using the
> syscall dispatcher.
> 
> For the sysinfo benchmark, which measures the overhead added to
> executing a native syscall that doesn't require interception, the
> overhead using only the direct dispatcher region to issue syscalls is
> pretty much irrelevant.  The overhead of using the selector goes around
> 40ns for a native (unredirected) syscall in my system, and it is (as
> expected) dominated by the supervisor-mode user-address access.  In
> fact, with SMAP off, the overhead is consistently less than 5ns on my
> test box.
> 
> Right now, it is only supported by x86_64 and x86, but it should be
> easily enabled for other architectures.
> 
> An example code using this interface can be found at:
>   https://gitlab.collabora.com/krisman/syscall-disable-personality
> 
> Changes since v2:
>   (Matthew Wilcox suggestions)
>   - Drop __user on non-ptr type.
>   - Move #define closer to similar defs
>   - Allow a memory region that can dispatch directly
>   (Kees Cook suggestions)
>   - Improve kconfig summary line
>   - Move flag cleanup on execve to begin_new_exec
>   - Hint branch predictor in the syscall path
>   (Me)
>   - Convert selector to char
> 
> Changes since RFC:
>   (Kees Cook suggestions)
>   - Don't mention personality while explaining the feature
>   - Use syscall_get_nr
>   - Remove header guard on several places
>   - Convert WARN_ON to WARN_ON_ONCE
>   - Explicit check for state values
>   - Rename to syscall user dispatcher
> 
> Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx>
> Cc: Andy Lutomirski <luto@xxxxxxxxxx>
> Cc: Paul Gofman <gofmanp@xxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Gabriel Krisman Bertazi <krisman@xxxxxxxxxxxxx>

I think this looks great. :)

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

Any other folks able to look through it?

-- 
Kees Cook