Re: [PATCH 1/3] syscall_user_dispatch: Allow allowed range wrap-around

From: Gregory Price
Date: Tue Feb 18 2025 - 13:00:42 EST

Next message: Rafael J. Wysocki: "Re: [PATCH v3] ACPI: platform-profile: Fix CFI violation when accessing sysfs files"
Previous message: Birger Koblitz: "[PATCH net-next] net: sfp: add quirk for 2.5G OEM BX SFP"
In reply to: Dmitry Vyukov: "Re: [PATCH 1/3] syscall_user_dispatch: Allow allowed range wrap-around"
Next in thread: Dmitry Vyukov: "Re: [PATCH 1/3] syscall_user_dispatch: Allow allowed range wrap-around"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 18, 2025 at 06:34:34PM +0100, Dmitry Vyukov wrote:
> On Tue, 18 Feb 2025 at 17:58, Gregory Price <gourry@xxxxxxxxxx> wrote:
> > If the intent is to load and re-use a single foreign-OS library, this
> > change seems to be the question of "why not allow multiple ranges?",
> > and you'd be on your way to reimplementing seccomp or BPF.
>
> The problem with seccomp BPF is that the filter is inherited across
> fork/exec which can't be used with SIGSYS and fine-grained custom
> user-space policy. USER_DISPATCH is much more flexible in this regard.
>

It's also fundamentally not a security-sufficient interposition system.

> Re allocating resources outside of monitored bounds: this is exactly
> what syscall filtering is for, right :)

No. SUD's purpose is to catch foreign-OS syscall execution.

You *can* do hacky stuff like interposing on libc, but it you can do
hacky things with bpf too.

> If we install a filter on a library/sandbox, we can control and
> prevent it from allocating any more executable pages outside of the
> range.
>
> The motivation is sandboxing of libraries loaded within a known fixed
> address range, while non-sandboxed code can live on both sides of the
> sandboxed range (say, non-pie binary at lower addresses, and libc at
> higher addresses).

My question is why you aren't doing the opposite. Exempt the known good
ranges and hook everything else. This actually makes it easier to
ensure the software you're hooking doesn't escape interposition.

You can use the SIGSYS register data (instruction pointer) to determine
whether to act on the syscall or pass it through.

Like I said, I don't necessarily disagree with the change, just a bit
concerned about the direction this takes SUD. It's not a sufficient
interface to isolate the behavior of a single library, and this change
naturally begs the question "If we do this, why not implement an entire
multi-range filtering system? Why stop at one range?"

~Gregory

Next message: Rafael J. Wysocki: "Re: [PATCH v3] ACPI: platform-profile: Fix CFI violation when accessing sysfs files"
Previous message: Birger Koblitz: "[PATCH net-next] net: sfp: add quirk for 2.5G OEM BX SFP"
In reply to: Dmitry Vyukov: "Re: [PATCH 1/3] syscall_user_dispatch: Allow allowed range wrap-around"
Next in thread: Dmitry Vyukov: "Re: [PATCH 1/3] syscall_user_dispatch: Allow allowed range wrap-around"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]