From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A21F3C433DF for ; Thu, 25 Jun 2020 23:15:12 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 258562081A for ; Thu, 25 Jun 2020 23:15:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ocallahan-org.20150623.gappssmtp.com header.i=@ocallahan-org.20150623.gappssmtp.com header.b="Pk+mVIcO" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 258562081A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ocallahan.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8CFD66B0003; Thu, 25 Jun 2020 19:15:11 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 880D06B0005; Thu, 25 Jun 2020 19:15:11 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 796EE6B0006; Thu, 25 Jun 2020 19:15:11 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0099.hostedemail.com [216.40.44.99]) by kanga.kvack.org (Postfix) with ESMTP id 610346B0003 for ; Thu, 25 Jun 2020 19:15:11 -0400 (EDT) Received: from smtpin16.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 15A512C81 for ; Thu, 25 Jun 2020 23:15:11 +0000 (UTC) X-FDA: 76969292022.16.event40_0506be026e50 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin16.hostedemail.com (Postfix) with ESMTP id C4C81100E690B for ; Thu, 25 Jun 2020 23:15:10 +0000 (UTC) X-HE-Tag: event40_0506be026e50 X-Filterd-Recvd-Size: 4632 Received: from mail-vs1-f66.google.com (mail-vs1-f66.google.com [209.85.217.66]) by imf36.hostedemail.com (Postfix) with ESMTP for ; Thu, 25 Jun 2020 23:15:10 +0000 (UTC) Received: by mail-vs1-f66.google.com with SMTP id e15so4525502vsc.7 for ; Thu, 25 Jun 2020 16:15:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ocallahan-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=5o0jgcCQjFP2QLOrgYjdybkZG09dTeT1+zi5a4htMIk=; b=Pk+mVIcOsA49tZIaEKmqBWlpY0IrdejkM8JzCSyCIwoOU2MP22GqFUBOxtE2kqEXUB WvBsmAELjUa85Ceu/F9gaXqJpUmozC+7A9qjRtYawF/dmXzEmxKeJnRxakPrabzsLQE9 YA803mqR9TPwVbLE/t3rPZ17yz6/skGM4MgkjvH0De1u8n/XDV/NPt4PyRgy8WjSIF7g VlPr4xospmepc89uZZidSCB1MwH7VmoCftLEm4ElsraXrLRFDg/DOuoCfhRNy08mS9gk bT7t3o+qsE3by2491TMhy7TjL7fBm1WnFg4KbwIxoQdNeVCJVdC0GqZmdKcYAgiU8+k2 U8Sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=5o0jgcCQjFP2QLOrgYjdybkZG09dTeT1+zi5a4htMIk=; b=Ejx7Mj1WbzV88T8DpuB5WRHWW/Mg/J/ZntJ144lVWF41Jz1Jk1jx6woN+3896HFnM5 aIo5fuT7lNhbK7IXYByRvRQAzimRkcWrlNWkqKt+/xGy4ctFjoqnhSFp09WHiTcnnVVd fJQ8ZlrtJR1uCsbjHYVJyCeQvEv/kAI4ojtSsEjc2SoRk3EWrM4YlT9hlS8QRidEZ5Xu ooQbCwsbNpfYvnuMcy/fahudft+mmNdvU7l2FWaCN6+AGDwKN10YogjggaTUn+xWjJiW xAR+4QZdYqUlSIRogCZnJAHrKE79ySqnb+p4OT5Nn2O/N9Yjd+W0AaVPbtER3dw5aBj5 cpQQ== X-Gm-Message-State: AOAM533iwSk3PZ0VBVBtb6Xq4vqd7Bz5CAZgU8XENF2bF6OGHfUGDmoD CNB2GccO+VubWFeJMMNS6CBwOk9BzcvczmH6cqI= X-Google-Smtp-Source: ABdhPJwVRb1/Dcbjis0OEkRQ+bTDVT2cJSlPKmnXkKhQoWxbjPISlIJalZaHVnY9ZT4UT4gwpSZvDrxukGacH2VyDgU= X-Received: by 2002:a67:26c2:: with SMTP id m185mr467694vsm.39.1593126909772; Thu, 25 Jun 2020 16:15:09 -0700 (PDT) MIME-Version: 1.0 References: <20200530055953.817666-1-krisman@collabora.com> <85367hkl06.fsf@collabora.com> In-Reply-To: <85367hkl06.fsf@collabora.com> Reply-To: robert@ocallahan.org From: "Robert O'Callahan" Date: Fri, 26 Jun 2020 11:14:56 +1200 Message-ID: Subject: Re: [PATCH RFC] seccomp: Implement syscall isolation based on memory areas To: Gabriel Krisman Bertazi Cc: Andy Lutomirski , Linux-MM , open list , kernel@collabora.com, Thomas Gleixner , Kees Cook , Will Drewry , "H . Peter Anvin" , Paul Gofman Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: C4C81100E690B X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam05 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000013, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: rr (https://rr-project.org, https://arxiv.org/abs/1705.05937) grapples with a similar problem. We need to intercept commonly-executed system calls and wrap them with our own processing, with minimal overhead. I think our basic approach might work for Wine without kernel changes. We use SECCOMP_SET_MODE_FILTER with a simple filter that returns SECCOMP_RET_TRAP on all syscalls except for those called from a single specific trampoline page (which get SECCOMP_RET_ALLOW). rr ptraces its children. So, when user-space makes a syscall, the seccomp filter triggers a ptrace trap. The ptracer looks at the code around the syscall and if it matches certain common patterns, the ptracer patches the code with a jump to a stub that does extra work and issues a real syscall via the trampoline. Thus, each library syscall instruction is slow the first time and fast every subsequent time. "Weird" syscalls that the ptracer chooses not to patch do incur the context-switch penalty every time so their overhead does increase a lot ... but it sounds like that might be OK in Wine's case? A more efficient variant of this approach which would work in some cases (but maybe not Wine?) would be to avoid using a ptracer and give the process a SIGSYS handler which does the patching. Rob -- Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy ot mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil eht. Efil fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah ruo dna ta dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw, draeh evah ew hcihw, gninnigeb eht morf saw hcihw taht.