From patchwork Wed Sep 25 20:32:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Berg X-Patchwork-Id: 1989525 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=xKsX770C; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=sipsolutions.net header.i=@sipsolutions.net header.a=rsa-sha256 header.s=mail header.b=FKqjOb18; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XDT215t5Kz1xt4 for ; Thu, 26 Sep 2024 06:32:56 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=MiXpG+arDJiFnMFMgMjQL654lC+ofn0bNWtLmcN+M0U=; b=xKsX770CfmJZXSQEL/seRGHm+D 7e1sL7KvfnfQHar7LDdRr6ttoFKHY/MuQ742FcEUBsNuwABfS9DtngbfO3zVKA3cZipx3OVqPwQk6 WDXI5FCG5R5cuNDa/HA6RpI/FKmjSKOXenavx7nP1S2U++YWnOFGVKssmCoGJK0iKWd2Y8AFdm8Uc N7y7iOpBavh22oPRYqj/UAcSQ09gLL6NwuytNVn4T0Y83O1WlXYnXYqF2GRsLxc6qVDMSFSQjjoh7 mytZG4JzN2mYgpaD5FiW/CqR2m9mt00aoVDLV07oh3zb1hMHy+G7YAYw2+R2x3RTTnQhwoAjkZNDp XkUNyUcw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1stYgv-00000006Uzp-0J8u; Wed, 25 Sep 2024 20:32:53 +0000 Received: from s3.sipsolutions.net ([2a01:4f8:242:246e::2] helo=sipsolutions.net) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1stYgs-00000006Uyb-1JAL for linux-um@lists.infradead.org; Wed, 25 Sep 2024 20:32:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Content-Type:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-To:Resent-Cc: Resent-Message-ID:In-Reply-To:References; bh=MiXpG+arDJiFnMFMgMjQL654lC+ofn0bNWtLmcN+M0U=; t=1727296367; x=1728505967; b=FKqjOb18aufI/2z3KPDr6fyqGoNxyhuQ58PK7i7g5aE6KbznLrvMbElaFsjqqzhdNd2+pY1EvwW PmxctJ/CgCHBigHdetpXZZLU/B6Dhc5+ST+lOFFSGqZgD5WHGz/DDasDgoG8k9qns86OQVPmV3IPY 6uaDuIZs6tuIhs0cq6ucWEir8a8Twlv/5CAmlH7V1Eq92n8G6kwQw1zIP2yz7EQqlmPZ/FzAuQmvP uhR7lQN9M6V8GKD0uZLL3mPilKoPaDPxIyF36J0hrGFjb12X3ozxtMuV1IuNypGKdrjkSE5jhb4h8 vxvccNwNvatStI8FpgPU/hGfVQfXa5JBTttQ==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97) (envelope-from ) id 1stYgm-00000001A19-2xs2; Wed, 25 Sep 2024 22:32:45 +0200 From: Benjamin Berg To: linux-um@lists.infradead.org Cc: Benjamin Berg Subject: [RFC PATCH 0/9] SECCOMP based userspace for UML Date: Wed, 25 Sep 2024 22:32:23 +0200 Message-ID: <20240925203232.565086-1-benjamin@sipsolutions.net> X-Mailer: git-send-email 2.46.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240925_133250_385230_118F26A2 X-CRM114-Status: GOOD ( 14.06 ) X-Spam-Score: -2.1 (--) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Benjamin Berg Hi all, this is an updated version of the SECCOMP patchset. The patchset adds a new userspace handling mode to UML that is based on a SECCOMP filter and trusted code within each userspace process. Content analysis details: (-2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: linux-um@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-um" Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Benjamin Berg Hi all, this is an updated version of the SECCOMP patchset. The patchset adds a new userspace handling mode to UML that is based on a SECCOMP filter and trusted code within each userspace process. One advantage of this approach is that it saves quite a few context switches when handling pagefaults (and syscalls to some extend). The reason is that the ptrace code needs a separate context switch to execute syscalls in the stub as well as another one to grab the segfault information. This new version of the patchset changes the security model to use FD passing for the memory to ensure only the stub code can use the permitted syscalls. Note that the current SECCOMP filter is not yet sufficient to prevent userspace from tricking the kernel (and stub) to map any physical memory. Also new is working i386 support. Benjamin Benjamin Berg (9): um: Store full CSGSFS and SS register from mcontext um: Move faultinfo extraction into userspace routine um: Add UML_SECCOMP configuration option um: Add stub side of SECCOMP/futex based process handling um: Add helper functions to get/set state for SECCOMP um: Add SECCOMP support detection and initialization um: Track userspace children dying in SECCOMP mode um: Implement kernel side of SECCOMP based process handling um: pass FD for memory operations when needed arch/um/Kconfig | 20 + arch/um/include/asm/irq.h | 5 +- arch/um/include/shared/common-offsets.h | 3 + arch/um/include/shared/irq_user.h | 1 + arch/um/include/shared/os.h | 3 +- arch/um/include/shared/skas/mm_id.h | 16 + arch/um/include/shared/skas/skas.h | 6 + arch/um/include/shared/skas/stub-data.h | 21 +- arch/um/kernel/irq.c | 5 + arch/um/kernel/skas/mmu.c | 98 +++- arch/um/kernel/skas/stub.c | 131 +++++- arch/um/kernel/skas/stub_exe.c | 162 ++++++- arch/um/kernel/tlb.c | 21 +- arch/um/os-Linux/internal.h | 4 + arch/um/os-Linux/process.c | 31 ++ arch/um/os-Linux/registers.c | 4 +- arch/um/os-Linux/signal.c | 19 +- arch/um/os-Linux/skas/mem.c | 104 ++++- arch/um/os-Linux/skas/process.c | 501 +++++++++++++++------ arch/um/os-Linux/start_up.c | 150 +++++- arch/x86/um/os-Linux/mcontext.c | 203 ++++++++- arch/x86/um/shared/sysdep/kernel-offsets.h | 2 + arch/x86/um/shared/sysdep/mcontext.h | 9 + arch/x86/um/shared/sysdep/stub-data.h | 18 + arch/x86/um/shared/sysdep/stub.h | 2 + arch/x86/um/shared/sysdep/stub_32.h | 13 + arch/x86/um/shared/sysdep/stub_64.h | 14 + arch/x86/um/tls_32.c | 23 +- 28 files changed, 1388 insertions(+), 201 deletions(-) create mode 100644 arch/x86/um/shared/sysdep/stub-data.h