Deep argument inspection for seccomp

Posted Sep 18, 2019 22:52 UTC (Wed) by iabervon (subscriber, #722)
In reply to: Deep argument inspection for seccomp by cyphar
Parent article: Deep argument inspection for seccomp

It seems like this would be a good idea irrespective of seccomp, just in case a future syscall that follows the pattern of clone3 ever looks twice at the same parameter and expects it to stay the same.

Deep argument inspection for seccomp

Posted Sep 18, 2019 22:57 UTC (Wed) by jake (editor, #205) [Link] (1 responses)

> just in case a future syscall that follows the pattern of clone3 ever looks twice at the same parameter and expects it to stay the same.

system calls copy the user-space arguments before they start using them; after that point, user space can no longer change them (and affect the system call) ... the caching idea would just move that copying earlier in the system-call flow ...

jake

Deep argument inspection for seccomp

Posted Sep 18, 2019 23:06 UTC (Wed) by cyphar (subscriber, #110703) [Link]

Not to mention that there are dozens of syscalls that already take structs as arguments, so this definitely isn't a new problem we have to worry about. Calling copy_struct_from_user() on the same buffer twice -- or (heaven forbid) doing get_user() directly -- in a proposed syscall body would definitely result in a NACK from at least a few reviewers.