Re: [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Andy Lutomirski <luto@amacapital.net>
To: Jann Horn <jann@thejh.net>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>,
	Mikael Pettersson <mikpelinux@gmail.com>,
	linux-man <linux-man@vger.kernel.org>,
	Linux API <linux-api@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Russell King <linux@arm.linux.org.uk>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
	X86 ML <x86@kernel.org>, Jeff Dike <jdike@addtoit.com>,
	Richard Weinberger <richard@nod.at>,
	Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>
Subject: Re: [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime
Date: Thu, 12 Mar 2015 10:30:56 -0700	[thread overview]
Message-ID: <CALCETrXNDV5tdK7WaP55akZz4yR-X4i3GYUHARKPzbbF9sUJSA@mail.gmail.com> (raw)
In-Reply-To: <20150312130701.GA11073@pc.thejh.net>

On Thu, Mar 12, 2015 at 6:07 AM, Jann Horn <jann@thejh.net> wrote:
> On Wed, Mar 11, 2015 at 10:43:50PM +0100, Mikael Pettersson wrote:
>> Jann Horn writes:
>>  > Or should I throw this patch away and write a patch
>>  > for the prctl() manpage instead that documents that
>>  > being able to call sigreturn() implies being able to
>>  > effectively call sigprocmask(), at least on some
>>  > architectures like X86?
>>
>> Well, that is the semantics of sigreturn().  It is essentially
>> setcontext() [which includes the actions of sigprocmask()], but
>> with restrictions on parameter placement (at least on x86).
>>
>> You could introduce some setting to restrict that aspect for
>> seccomp processes, but you can't change this for normal processes
>> without breaking things.
>
> Then I think it's probably better and easier to just document the existing
> behavior? If a new setting would have to be introduced and developers would
> need to be aware of that, it's probably easier to just tell everyone to use
> SIGKILL.
>
> Does this manpage patch look good?

Looks good to me.

FWIW, if we wanted to fix this in the kernel, I think it could be
easier to add SIG_KILL which would be just like SIG_DFL except always
fatal even if masked rather than coming up with complicated changes to
sigreturn.

--Andy

>
> ---
>  man2/seccomp.2 | 25 +++++++++++++++++++++++++
>  1 file changed, 25 insertions(+)
>
> diff --git a/man2/seccomp.2 b/man2/seccomp.2
> index 702ceb8..f762d07 100644
> --- a/man2/seccomp.2
> +++ b/man2/seccomp.2
> @@ -64,6 +64,31 @@ Strict secure computing mode is useful for number-crunching
>  applications that may need to execute untrusted byte code, perhaps
>  obtained by reading from a pipe or socket.
>
> +Note that although the calling thread can no longer call
> +.BR sigprocmask (2),
> +it can use
> +.BR sigreturn (2)
> +to block all signals apart from
> +.BR SIGKILL
> +and
> +.BR SIGSTOP .
> +Therefore, to reliably terminate it,
> +.BR SIGKILL
> +has to be used, meaning that e.g.
> +.BR alarm (2)
> +is not sufficient for restricting its runtime. Instead, use
> +.BR timer_create (2)
> +with
> +.BR SIGEV_SIGNAL
> +and
> +.BR sigev_signo
> +set to
> +.BR SIGKILL
> +or use
> +.BR setrlimit (2)
> +to set the hard limit for
> +.BR RLIMIT_CPU .
> +
>  This operation is available only if the kernel is configured with
>  .BR CONFIG_SECCOMP
>  enabled.
> --
> 2.1.4
>



-- 
Andy Lutomirski
AMA Capital Management, LLC

next prev parent reply	other threads:[~2015-03-12 17:31 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-11 17:42 [PATCH] Don't allow blocking of signals using sigreturn Jann Horn
2015-03-11 21:43 ` Mikael Pettersson
2015-03-11 22:26   ` Andy Lutomirski
2015-03-12  7:22     ` Mikael Pettersson
2015-03-12 13:07   ` [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime Jann Horn
2015-03-12 17:30     ` Andy Lutomirski [this message]
2015-03-12 17:33     ` Kees Cook
2015-03-12 20:01     ` Mikael Pettersson
2015-03-22 19:28     ` Michael Kerrisk (man-pages)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CALCETrXNDV5tdK7WaP55akZz4yR-X4i3GYUHARKPzbbF9sUJSA@mail.gmail.com \
    --to=luto@amacapital.net \
    --cc=catalin.marinas@arm.com \
    --cc=hpa@zytor.com \
    --cc=jann@thejh.net \
    --cc=jdike@addtoit.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-man@vger.kernel.org \
    --cc=linux@arm.linux.org.uk \
    --cc=mikpelinux@gmail.com \
    --cc=mingo@redhat.com \
    --cc=mtk.manpages@gmail.com \
    --cc=richard@nod.at \
    --cc=tglx@linutronix.de \
    --cc=wad@chromium.org \
    --cc=will.deacon@arm.com \
    --cc=x86@kernel.org \
    --subject='Re: [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).