Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Andy Lutomirski <luto@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Pavel Begunkov <asml.silence@gmail.com>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Matthew Wilcox <willy@infradead.org>,
	Jann Horn <jannh@google.com>,
	Stefano Garzarella <sgarzare@redhat.com>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	strace-devel@lists.strace.io, io-uring@vger.kernel.org,
	Linux API <linux-api@vger.kernel.org>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Michael Kerrisk <mtk.manpages@gmail.com>
Subject: Re: strace of io_uring events?
Date: Thu, 16 Jul 2020 09:24:48 -0700	[thread overview]
Message-ID: <CALCETrVD1hTc5QDL5=DNkLSS5Qu_AuEC-QZQAuZY0tCP1giMwQ@mail.gmail.com> (raw)
In-Reply-To: <202007151511.2AA7718@keescook>

> On Jul 15, 2020, at 4:07 PM, Kees Cook <keescook@chromium.org> wrote:
>
> Earlier Andy Lutomirski wrote:
>> Let’s add some seccomp folks. We probably also want to be able to run
>> seccomp-like filters on io_uring requests. So maybe io_uring should call into
>> seccomp-and-tracing code for each action.
>
> Okay, I'm finally able to spend time looking at this. And thank you to
> the many people that CCed me into this and earlier discussions (at least
> Jann, Christian, and Andy).
>
> It *seems* like there is a really clean mapping of SQE OPs to syscalls.
> To that end, yes, it should be trivial to add ptrace and seccomp support
> (sort of). The trouble comes for doing _interception_, which is how both
> ptrace and seccomp are designed.
>
> In the basic case of seccomp, various syscalls are just being checked
> for accept/reject. It seems like that would be easy to wire up. For the
> more ptrace-y things (SECCOMP_RET_TRAP, SECCOMP_RET_USER_NOTIF, etc),
> I think any such results would need to be "upgraded" to "reject". Things
> are a bit complex in that seccomp's form of "reject" can be "return
> errno" (easy) or it can be "kill thread (or thread_group)" which ...
> becomes less clear. (More on this later.)

My intuition is not to do this kind of creative reinterpretation of
return values. Instead let’s have a new type of seccomp filter
specifically for io_uring. So we can have SECCOMP_IO_URING_ACCEPT,
ERRNO, and eventually other things. We probably will want a user
notifier feature for io_uring, but I'd be a bit surprised if it ends
up ABI-compatible with current users of user notifiers.

> - There appear to be three classes of desired restrictions:
>  - opcodes for io_uring_register() (which can be enforced entirely with
>    seccomp right now).

Agreed.

>  - opcodes from SQEs (this _could_ be intercepted by seccomp, but is
>    not currently written)

As above, I think this should be intercepted by seccomp, but in a new
mode.  I think that existing seccomp filters should not intercept it.

>  - opcodes of the types of restrictions to restrict... for making sure
>    things can't be changed after being set? seccomp already enforces
>    that kind of "can only be made stricter"

Agreed.

>
> - How does no_new_privs play a role in the existing io_uring credential
>  management? Using _any_ kind of syscall-effective filtering, whether
>  it's seccomp or Stefano's existing proposal, needs to address the
>  potential inheritable restrictions across privilege boundaries (which is
>  what no_new_privs tries to eliminate). In regular syscall land, this is
>  an issue when a filter follows a process through setuid via execve()
>  and it gains privileges that now the filter-creator can trick into
>  doing weird stuff -- io_uring has a concept of alternative credentials
>  so I have to ask about it. (I don't *think* there would be a path to
>  install a filter before gaining privilege, but I likely just
>  need to do my homework on the io_uring internals. Regardless,
>  use of seccomp by io_uring would need to have this issue "solved"
>  in the sense that it must be "safe" to filter io_uring OPs, from a
>  privilege-boundary-crossing perspective.
>
> - From which task perspective should filters be applied? It seems like it
>  needs to follow the io_uring personalities, as that contains the
>  credentials. (This email is a brain-dump so far -- I haven't gone to
>  look to see if that means io_uring is literally getting a reference to
>  struct cred; I assume so.) Seccomp filters are attached to task_struct.
>  However, for v5.9, seccomp will gain a more generalized get/put system
>  for having filters attached to the SECCOMP_RET_USER_NOTIF fd. Adding
>  more get/put-ers for some part of the io_uring context shouldn't
>  be hard.

Let's ignore personalities for a moment (and see below).  Thinking
through the possibilities:

A: io_uring seccomp filters are attached to tasks.  When an io_uring
is created, it inherits an immutable copy of its creating task's
filter, and that's the filter set that applies to that io_uring
instance.  This could have somewhat bizarre consequences if the fd
gets passed around, but io_uring already has odd security effects if
fds are passed around.  It has the annoying property that, if a
library creates an io_uring and then a seccomp filter is loaded, the
io_uring bypasses the library.

B: The same, but the io_uring references the creating task so new
filters on the task apply to the io_uring, too.  This allows loading
and then sandboxing.  Is this too bizarre overall?

C: io_uring filters are attached directly to io_urings.  This has the
problem where an io_uring created before a task sandboxes itself isn't
sandboxed.  It also would require that a filter be able to hook
io_uring creation to sandbox it.

Does anyone actually pass io_urings around with SCM_RIGHTS?  It would
be really nice if we could make the default be that io_urings are
bound to their creating mm and can't be used outside it.  Then
creating an mm-crossing io_uring could, itself, be restricted.

In any case, my inclination is to go for choice B.  Choice C could
also be supported if there's a use case.

  parent reply	other threads:[~2020-07-16 16:25 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-15 11:12 Miklos Szeredi
2020-07-15 14:35 ` Andy Lutomirski
2020-07-15 17:11   ` Matthew Wilcox
2020-07-15 19:42     ` Pavel Begunkov
2020-07-15 20:09       ` Miklos Szeredi
2020-07-15 20:20         ` Pavel Begunkov
2020-07-15 23:07           ` Kees Cook
2020-07-16 13:14             ` Stefano Garzarella
2020-07-16 15:12               ` Kees Cook
2020-07-17  8:01                 ` Stefano Garzarella
2020-07-21 15:27                   ` Andy Lutomirski
2020-07-21 15:31                     ` Jens Axboe
2020-07-21 17:23                       ` Andy Lutomirski
2020-07-21 17:30                         ` Jens Axboe
2020-07-21 17:44                           ` Andy Lutomirski
2020-07-21 18:39                             ` Jens Axboe
2020-07-21 19:44                               ` Andy Lutomirski
2020-07-21 19:48                                 ` Jens Axboe
2020-07-21 19:56                                 ` Andres Freund
2020-07-21 19:37                         ` Andres Freund
2020-07-21 15:58                     ` Stefano Garzarella
2020-07-23 10:39                       ` Stefan Hajnoczi
2020-07-23 13:37                       ` Colin Walters
2020-07-24  7:25                         ` Stefano Garzarella
2020-07-16 13:17             ` Aleksa Sarai
2020-07-16 15:19               ` Kees Cook
2020-07-17  8:17               ` Cyril Hrubis
2020-07-16 16:24             ` Andy Lutomirski [this message]
2020-07-16  0:12     ` tytso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALCETrVD1hTc5QDL5=DNkLSS5Qu_AuEC-QZQAuZY0tCP1giMwQ@mail.gmail.com' \
    --to=luto@kernel.org \
    --cc=asml.silence@gmail.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=io-uring@vger.kernel.org \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=mtk.manpages@gmail.com \
    --cc=sgarzare@redhat.com \
    --cc=strace-devel@lists.strace.io \
    --cc=willy@infradead.org \
    --subject='Re: strace of io_uring events?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).