[RFC,3/9] um: Add UML_SECCOMP configuration option

Message ID	20240925203232.565086-4-benjamin@sipsolutions.net
State	RFC
Headers	show Return-Path: <linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Benjamin Berg <benjamin@sipsolutions.net> To: linux-um@lists.infradead.org Cc: Benjamin Berg <benjamin@sipsolutions.net>, Benjamin Berg <benjamin.berg@intel.com> Subject: [RFC PATCH 3/9] um: Add UML_SECCOMP configuration option Date: Wed, 25 Sep 2024 22:32:26 +0200 Message-ID: <20240925203232.565086-4-benjamin@sipsolutions.net> In-Reply-To: <20240925203232.565086-1-benjamin@sipsolutions.net> References: <20240925203232.565086-1-benjamin@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit preview: Add the UML_SECCOMP configuration options. The next commits will add the support itself in smaller chunks. Only x86_64 will be supported for now. Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> --- arch/um/Kconfig \| 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) Content analysis details: (-2.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Sender: "linux-um" <linux-um-bounces@lists.infradead.org> Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	SECCOMP based userspace for UML \| expand [RFC,0/9] SECCOMP based userspace for UML [RFC,1/9] um: Store full CSGSFS and SS register from mcontext [RFC,2/9] um: Move faultinfo extraction into userspace routine [RFC,3/9] um: Add UML_SECCOMP configuration option [RFC,4/9] um: Add stub side of SECCOMP/futex based process handling [RFC,5/9] um: Add helper functions to get/set state for SECCOMP [RFC,6/9] um: Add SECCOMP support detection and initialization [RFC,7/9] um: Track userspace children dying in SECCOMP mode [RFC,8/9] um: Implement kernel side of SECCOMP based process handling [RFC,9/9] um: pass FD for memory operations when needed

Message ID

20240925203232.565086-4-benjamin@sipsolutions.net

State

RFC

Headers

From: Benjamin Berg <benjamin@sipsolutions.net>
To: linux-um@lists.infradead.org
Cc: Benjamin Berg <benjamin@sipsolutions.net>,
	Benjamin Berg <benjamin.berg@intel.com>
Subject: [RFC PATCH 3/9] um: Add UML_SECCOMP configuration option
Date: Wed, 25 Sep 2024 22:32:26 +0200
Message-ID: <20240925203232.565086-4-benjamin@sipsolutions.net>
In-Reply-To: <20240925203232.565086-1-benjamin@sipsolutions.net>
References: <20240925203232.565086-1-benjamin@sipsolutions.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Sender: "linux-um" <linux-um-bounces@lists.infradead.org>
Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

SECCOMP based userspace for UML | expand

Commit Message

Benjamin Berg Sept. 25, 2024, 8:32 p.m. UTC

Add the UML_SECCOMP configuration options. The next commits will add the
support itself in smaller chunks.

Only x86_64 will be supported for now.

Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
---
 arch/um/Kconfig | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

Comments

Johannes Berg Oct. 10, 2024, 11:49 a.m. UTC | #1

On Wed, 2024-09-25 at 22:32 +0200, Benjamin Berg wrote:
> Add the UML_SECCOMP configuration options. The next commits will add the
> support itself in smaller chunks.
> 
> Only x86_64 will be supported for now.
> 
> Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
> ---
>  arch/um/Kconfig | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/arch/um/Kconfig b/arch/um/Kconfig
> index 48db1c99bd46..4698e4c8ef29 100644
> --- a/arch/um/Kconfig
> +++ b/arch/um/Kconfig
> @@ -240,6 +240,26 @@ config KASAN_SHADOW_OFFSET
>  	  set to a large value. On low-memory systems, try 0x7fff8000, as it fits
>  	  into the immediate of most instructions, improving performance.
>  
> +config UML_SECCOMP
> +	bool "SECCOMP based userspace"
> +	default n
> 

n is the default so you don't need "default n" :)

johannes

diff --git a/arch/um/Kconfig b/arch/um/Kconfig
index 48db1c99bd46..4698e4c8ef29 100644
--- a/arch/um/Kconfig
+++ b/arch/um/Kconfig
@@ -240,6 +240,26 @@  config KASAN_SHADOW_OFFSET
 	  set to a large value. On low-memory systems, try 0x7fff8000, as it fits
 	  into the immediate of most instructions, improving performance.
 
+config UML_SECCOMP
+	bool "SECCOMP based userspace"
+	default n
+	help
+	  With SECCOMP userspace processes work collaboratively with the kernel
+	  instead of being traced using ptrace. All syscalls from the application
+	  are caught and redirected using a signal. This signal handler in turn
+	  is permitted to do the selected set of syscalls to communicate with
+	  the UML kernel and do the required memory management.
+
+	  This method is overall faster than the ptrace based userspace,
+	  primarily because it reduces the number of context switches for
+	  (minor) page faults.
+	  However, the SECCOMP filter is not (yet) restrictive enough to prevent
+	  userspace from reading and writing all physical memory. Userspace
+	  processes could also trick the stub into disabling SIGALRM which
+	  prevents it from being interrupted for scheduling purposes.
+
+	  If in doubt say N, as the feature has security implications.
+
 endmenu
 
 source "arch/um/drivers/Kconfig"

[RFC,3/9] um: Add UML_SECCOMP configuration option

Commit Message

Comments

Patch