seccomp: Only dump core when single-threaded

Message ID	20170207231851.GA129818@beast (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Date: Tue, 7 Feb 2017 15:18:51 -0800 From: Kees Cook <keescook@chromium.org> To: James Morris <james.l.morris@oracle.com> Cc: Mike Frysinger <vapier@gentoo.org>, Paul Moore <paul@paul-moore.com>, Tyler Hicks <tyhicks@canonical.com>, Andrei Vagin <avagin@virtuozzo.com>, Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>, linux-security-module <linux-security-module@vger.kernel.org>, linux-kernel@vger.kernel.org Subject: [PATCH] seccomp: Only dump core when single-threaded Message-ID: <20170207231851.GA129818@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Kees Cook Feb. 7, 2017, 11:18 p.m. UTC

The SECCOMP_RET_KILL filter return code has always killed the current
thread, not the entire process. Changing this as a side-effect of dumping
core isn't a safe thing to do (a few test suites have already flagged this
behavioral change). Instead, restore the RET_KILL semantics, but still
dump core when a RET_KILL delivers SIGSYS to a single-threaded process.

Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 kernel/seccomp.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

Andrey Vagin Feb. 14, 2017, 6:37 a.m. UTC | #1

On Tue, Feb 07, 2017 at 03:18:51PM -0800, Kees Cook wrote:
> The SECCOMP_RET_KILL filter return code has always killed the current
> thread, not the entire process. Changing this as a side-effect of dumping
> core isn't a safe thing to do (a few test suites have already flagged this
> behavioral change). Instead, restore the RET_KILL semantics, but still
> dump core when a RET_KILL delivers SIGSYS to a single-threaded process.
> 
> Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL")
> Signed-off-by: Kees Cook <keescook@chromium.org>

All CRIU tests passed with this patch. Thanks!

Acked-by: Andrei Vagin <avagin@virtuozzo.com>

> ---
>  kernel/seccomp.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index f8f88ebcb3ba..e15185c28de5 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -643,11 +643,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
>  	default: {
>  		siginfo_t info;
>  		audit_seccomp(this_syscall, SIGSYS, action);
> -		/* Show the original registers in the dump. */
> -		syscall_rollback(current, task_pt_regs(current));
> -		/* Trigger a manual coredump since do_exit skips it. */
> -		seccomp_init_siginfo(&info, this_syscall, data);
> -		do_coredump(&info);
> +		/* Dump core only if this is the last remaining thread. */
> +		if (get_nr_threads(current) == 1) {
> +			/* Show the original registers in the dump. */
> +			syscall_rollback(current, task_pt_regs(current));
> +			/* Trigger a manual coredump since do_exit skips it. */
> +			seccomp_init_siginfo(&info, this_syscall, data);
> +			do_coredump(&info);
> +		}
>  		do_exit(SIGSYS);
>  	}
>  	}
> -- 
> 2.7.4
> 
> 
> -- 
> Kees Cook
> Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Kees Cook Feb. 14, 2017, 7:09 p.m. UTC | #2

On Mon, Feb 13, 2017 at 10:37 PM, Andrei Vagin <avagin@virtuozzo.com> wrote:
> On Tue, Feb 07, 2017 at 03:18:51PM -0800, Kees Cook wrote:
>> The SECCOMP_RET_KILL filter return code has always killed the current
>> thread, not the entire process. Changing this as a side-effect of dumping
>> core isn't a safe thing to do (a few test suites have already flagged this
>> behavioral change). Instead, restore the RET_KILL semantics, but still
>> dump core when a RET_KILL delivers SIGSYS to a single-threaded process.
>>
>> Fixes: b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL")
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>
> All CRIU tests passed with this patch. Thanks!
>
> Acked-by: Andrei Vagin <avagin@virtuozzo.com>

Thanks for testing!

James, can you make sure this makes it into your -next tree for v4.11?

Thanks!

-Kees

>
>> ---
>>  kernel/seccomp.c | 13 ++++++++-----
>>  1 file changed, 8 insertions(+), 5 deletions(-)
>>
>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>> index f8f88ebcb3ba..e15185c28de5 100644
>> --- a/kernel/seccomp.c
>> +++ b/kernel/seccomp.c
>> @@ -643,11 +643,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
>>       default: {
>>               siginfo_t info;
>>               audit_seccomp(this_syscall, SIGSYS, action);
>> -             /* Show the original registers in the dump. */
>> -             syscall_rollback(current, task_pt_regs(current));
>> -             /* Trigger a manual coredump since do_exit skips it. */
>> -             seccomp_init_siginfo(&info, this_syscall, data);
>> -             do_coredump(&info);
>> +             /* Dump core only if this is the last remaining thread. */
>> +             if (get_nr_threads(current) == 1) {
>> +                     /* Show the original registers in the dump. */
>> +                     syscall_rollback(current, task_pt_regs(current));
>> +                     /* Trigger a manual coredump since do_exit skips it. */
>> +                     seccomp_init_siginfo(&info, this_syscall, data);
>> +                     do_coredump(&info);
>> +             }
>>               do_exit(SIGSYS);
>>       }
>>       }
>> --
>> 2.7.4
>>
>>
>> --
>> Kees Cook
>> Pixel Security

James Morris Feb. 14, 2017, 10:34 p.m. UTC | #3

On Tue, 14 Feb 2017, Kees Cook wrote:

> James, can you make sure this makes it into your -next tree for v4.11?

Queued for next at:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue

Andrey Vagin Feb. 22, 2017, 11:35 p.m. UTC | #4

On Wed, Feb 15, 2017 at 09:34:35AM +1100, James Morris wrote:
> On Tue, 14 Feb 2017, Kees Cook wrote:
> 
> > James, can you make sure this makes it into your -next tree for v4.11?
> 
> Queued for next at:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue

The  b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") is
in the Linus' tree, but this patch isn't there yet. And I don't see it
event in linux-next.

Do you have any plan to push it into the linus' tree?

https://travis-ci.org/avagin/criu/builds/204341051

Thanks,
Andrei

> 
> -- 
> James Morris
> <jmorris@namei.org>
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Kees Cook Feb. 23, 2017, 12:01 a.m. UTC | #5

On Wed, Feb 22, 2017 at 3:35 PM, Andrei Vagin <avagin@virtuozzo.com> wrote:
> On Wed, Feb 15, 2017 at 09:34:35AM +1100, James Morris wrote:
>> On Tue, 14 Feb 2017, Kees Cook wrote:
>>
>> > James, can you make sure this makes it into your -next tree for v4.11?
>>
>> Queued for next at:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git#next-queue
>
> The  b25e67161c29 ("seccomp: dump core when using SECCOMP_RET_KILL") is
> in the Linus' tree, but this patch isn't there yet. And I don't see it
> event in linux-next.
>
> Do you have any plan to push it into the linus' tree?
>
> https://travis-ci.org/avagin/criu/builds/204341051

Yup, I already called James's attention to this. He just sent a pull
request with the fix.

-Kees

seccomp: Only dump core when single-threaded

Commit Message

Comments

Patch