Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-26 Thread Andy Lutomirski
> On Feb 26, 2018, at 4:49 PM, Kees Cook wrote: > >> On Wed, Feb 14, 2018 at 9:19 AM, Andy Lutomirski wrote: >>> On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote:

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-26 Thread Andy Lutomirski
> On Feb 26, 2018, at 4:49 PM, Kees Cook wrote: > >> On Wed, Feb 14, 2018 at 9:19 AM, Andy Lutomirski wrote: >>> On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote:

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-26 Thread Kees Cook
On Wed, Feb 14, 2018 at 9:19 AM, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: >> On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: >>> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: >>> I

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-26 Thread Kees Cook
On Wed, Feb 14, 2018 at 9:19 AM, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: >> On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: >>> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: >>> I wonder if this communication should be netlink, which

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-15 Thread Christian Brauner
On Wed, Feb 14, 2018 at 05:19:52PM +, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: > > Hey Kees, > > > > Thanks for taking a look! > > > > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: > >> On Sun, Feb 4, 2018 at 2:49 AM, Tycho

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-15 Thread Christian Brauner
On Wed, Feb 14, 2018 at 05:19:52PM +, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: > > Hey Kees, > > > > Thanks for taking a look! > > > > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: > >> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote:

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-14 Thread Tycho Andersen
On Wed, Feb 14, 2018 at 05:19:52PM +, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: > > Hey Kees, > > > > Thanks for taking a look! > > > > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: > >> On Sun, Feb 4, 2018 at 2:49 AM, Tycho

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-14 Thread Tycho Andersen
On Wed, Feb 14, 2018 at 05:19:52PM +, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: > > Hey Kees, > > > > Thanks for taking a look! > > > > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: > >> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote:

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-14 Thread Andy Lutomirski
On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: > Hey Kees, > > Thanks for taking a look! > > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: >> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: >> > This patch introduces a means for syscalls

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-14 Thread Andy Lutomirski
On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: > Hey Kees, > > Thanks for taking a look! > > On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: >> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: >> > This patch introduces a means for syscalls matched in seccomp to notify >>

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-14 Thread Tycho Andersen
Hey Kees, Thanks for taking a look! On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: > On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: > > This patch introduces a means for syscalls matched in seccomp to notify > > some other task that a particular filter has

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-14 Thread Tycho Andersen
Hey Kees, Thanks for taking a look! On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: > On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: > > This patch introduces a means for syscalls matched in seccomp to notify > > some other task that a particular filter has been triggered. > >

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-13 Thread Kees Cook
On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: > This patch introduces a means for syscalls matched in seccomp to notify > some other task that a particular filter has been triggered. > > The motivation for this is primarily for use with containers. For example, > if a

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-13 Thread Kees Cook
On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: > This patch introduces a means for syscalls matched in seccomp to notify > some other task that a particular filter has been triggered. > > The motivation for this is primarily for use with containers. For example, > if a container does an

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-05 Thread Tycho Andersen
On Sun, Feb 04, 2018 at 08:33:25PM +, Andy Lutomirski wrote: > On Sun, Feb 4, 2018 at 8:01 PM, Tycho Andersen wrote: > > Hi Andy, > > > > On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote: > >> > The actual implementation of this is fairly small, although getting

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-05 Thread Tycho Andersen
On Sun, Feb 04, 2018 at 08:33:25PM +, Andy Lutomirski wrote: > On Sun, Feb 4, 2018 at 8:01 PM, Tycho Andersen wrote: > > Hi Andy, > > > > On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote: > >> > The actual implementation of this is fairly small, although getting the > >> >

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Andy Lutomirski
On Sun, Feb 4, 2018 at 8:01 PM, Tycho Andersen wrote: > Hi Andy, > > On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote: >> > The actual implementation of this is fairly small, although getting the >> > synchronization right was/is slightly complex. Also worth noting

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Andy Lutomirski
On Sun, Feb 4, 2018 at 8:01 PM, Tycho Andersen wrote: > Hi Andy, > > On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote: >> > The actual implementation of this is fairly small, although getting the >> > synchronization right was/is slightly complex. Also worth noting that there >> >

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Tycho Andersen
Hi Andy, On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote: > > The actual implementation of this is fairly small, although getting the > > synchronization right was/is slightly complex. Also worth noting that there > > is one race still present: > > > > 1. a task does a

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Tycho Andersen
Hi Andy, On Sun, Feb 04, 2018 at 05:36:33PM +, Andy Lutomirski wrote: > > The actual implementation of this is fairly small, although getting the > > synchronization right was/is slightly complex. Also worth noting that there > > is one race still present: > > > > 1. a task does a

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Andy Lutomirski
On Sun, Feb 4, 2018 at 10:49 AM, Tycho Andersen wrote: > This patch introduces a means for syscalls matched in seccomp to notify > some other task that a particular filter has been triggered. Neat! > > The motivation for this is primarily for use with containers. For example, >

Re: [RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Andy Lutomirski
On Sun, Feb 4, 2018 at 10:49 AM, Tycho Andersen wrote: > This patch introduces a means for syscalls matched in seccomp to notify > some other task that a particular filter has been triggered. Neat! > > The motivation for this is primarily for use with containers. For example, > if a container

[RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Tycho Andersen
This patch introduces a means for syscalls matched in seccomp to notify some other task that a particular filter has been triggered. The motivation for this is primarily for use with containers. For example, if a container does an init_module(), we obviously don't want to load this untrusted

[RFC 1/3] seccomp: add a return code to trap to userspace

2018-02-04 Thread Tycho Andersen
This patch introduces a means for syscalls matched in seccomp to notify some other task that a particular filter has been triggered. The motivation for this is primarily for use with containers. For example, if a container does an init_module(), we obviously don't want to load this untrusted