ksummit.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: ksummit <ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [TECH TOPIC] seccomp feature development
Date: Wed, 20 May 2020 11:27:03 -0700	[thread overview]
Message-ID: <CAHk-=wierGOJZhzrj1+R18id-WdfmK=eWT9YfWdCfMvEO+jLLg@mail.gmail.com> (raw)
In-Reply-To: <202005201104.72FED15776@keescook>

On Wed, May 20, 2020 at 11:06 AM Kees Cook <keescook@chromium.org> wrote:
> We already have structs passed to syscalls that contain pointers to yet
> more structs.

Give real examples of where this matters for security, please, and
where somebody would want to control this.

Yes, we have things like clone3() that pass a struct with pointers to
user space (eg the wait location etc).

Yes, we have tons of things like ioctl's that have random struct
pointer arguments with random contents.

Yes, we have iovec's etc that have arrays of pointers to user space.

But no, none of these seem to be things that seccomp should care about.

So I am not in the least interested in some kind of general discussion
about system calls with "pointers to pointers". They exist. Deal with
it. It's not in the least an interesting issue, and no, we shouldn't
make seccomp and friends incredibly more complicated for it.

If you want to do sandboxing, you disallow those things entirely if
you don't trust them, or make the case-by-case argument for why they
don't matter.

If you want to do something fancier (special compat emulation using
seccomp and a ptrace fallback? I dunno) you are going to just have to
deal with it. It's not simple, but it's not the kernels problem. You
may have to emulate it *entirely* in the ptracer (ie instead of "check
the arguments and let it continue" you _actually_ emulate it to avoid
any races)

And if you have some actual and imminent real security issue, you
mention _that_ and explain _that_, and accept that maybe you need to
do that expensive emulation (because the kernel people just don't care
about your private hang-ups) or you need to explain why it's a real
issue and why the kernel should help with your odd special case.

Don't make this some kind of abstract conceptual problem thing.
Because it's not.

Some computer scientists think that everythinig should be really
generic and solutions that solve some problem for every possible case
are the only good solutions.

But those people are wrong. The thing that _really_ matters is the
details. Not the nebulous theory.

So details, please.

             Linus
_______________________________________________
Ksummit-discuss mailing list
Ksummit-discuss@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss

  parent reply	other threads:[~2020-05-20 18:27 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-20 16:17 Kees Cook
2020-05-20 16:31 ` Al Viro
2020-05-20 18:05   ` Kees Cook
2020-05-20 18:16     ` Al Viro
2020-05-20 18:27     ` Linus Torvalds [this message]
2020-05-20 19:04       ` Kees Cook
2020-05-20 19:08         ` Linus Torvalds
2020-05-20 20:24           ` Christian Brauner
2020-05-20 20:52             ` Kees Cook
2020-05-20 21:02               ` Christian Brauner
2020-05-22  4:06               ` Aleksa Sarai
2020-05-22  7:35                 ` Christian Brauner
2020-05-22 11:27                   ` Christian Brauner
2020-05-20 22:12         ` Alexei Starovoitov
2020-05-20 23:39           ` Kees Cook
2020-05-21  0:43             ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHk-=wierGOJZhzrj1+R18id-WdfmK=eWT9YfWdCfMvEO+jLLg@mail.gmail.com' \
    --to=torvalds@linux-foundation.org \
    --cc=keescook@chromium.org \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox