[PATCH v7 0/3] Seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Tue Sep 24 18:13:56 UTC 2019 

On Mon, Sep 23, 2019 at 02:01:53PM +0200, Paul Chaignon wrote:
> This patchset introduces syscall filtering in the kernel using
> seccomp-bpf.  The first patch implements the main logic to reduce the
> number of tracer stops.  The second let's strace skip the seccomp-bpf
> setup when there aren't any syscalls to filter.  The last patch adds
> tests.
> 
> Seccomp filtering is only enabled with the -n option.  The BPF program
> implements a simple linear match of syscalls which can be improved in the
> future without impacting user-observable behavior.
> 
> This patchset has a single BPF generation strategy.  Other strategies will
> come in subsequent patchset.  The generated BPF program also doesn't
> support multiplexed syscalls (via ipc and socketcall), so these are always
> traced in userspace.  Finally, seccomp-filter is disabled in case of
> jump offset overflows in the BPF program.  Handling such overflows is a
> bit tortuous and unlikely to happen in practice.
> 
> Changelogs:
>   Changes in v7:
>     - Fix warning message in case of -p.
>     - Fix typos in comments and error messages.
>   Changes in v6:
>     - Fix -n when -p option is given and update man page.  Seccomp
>       filtering is ineffective on processes attached with -p.  
>     - Warn if seccomp filtering is disabled because there is nothing to
>       filter.
>     - Improve wording in comments.
>   Changes in v4:
>     - New test to check conflicts between seccomp-filter flags and syscall
>       numbers.
>     - Fix return code for filter_seccomp-perf test.
>     - Skip filter_seccomp-perf test is seccomp-filter is unavailable.
>     - Replace timeout(1) with alarm(2) in filter_seccomp-perf test.
>     - Add reproducer script to first patch's description.
>     - Add comment and improve error message for filter_seccomp-perf test.
>     - Various fixes to code formatting, code comments, and patch
>       descriptions.
>   Changes in v3:
>     - Prevented overflows in conditional jump offsets.
>     - Added debug messages in case seccomp-filter is disabled because of
>       program size or jump offset overflow.
>     - Defined new syscall flag for syscalls traced by default under
>       seccomp-filter.
>     - Added audit_arch_t flag for IA-64.
>     - Added test to check seccomp-filter is enabled.
>     - Commented in detail restart_op and PTRACE_{CONT,SYSCALL} behavior.
>     - Commented overall BPF program structure and generated instructions.
>     - Relicensed filter_seccomp.{c,h} under LGPL 2.1+.
>     - Removed fallback for PERSONALITY{0,1,2}_AUDIT_ARCH macros.
>     - Refactored check_seccomp_order_trace.
>     - Use bitwise OR for opcodes instead of additions.
>     - Renamed audit_arch_t.mask to audit_arch_t.flag.
>     - Improvements to documentation and comment texts from Eugene.
>     - Fixed typos and formatting issues.
>   Changes in v2:
>     - New tests with all syscalls but one and with several syscall
>       classes.
>     - -n now implies -f, with a warning if -f was explicitly specified.
>     - seccomp-filter state is displayed in debug mode, warning emitted if
>       seccomp-filter was requested but unavailable.
>     - Removed arch-specific preprocessor directives from
>       filter_seccomp.c.
>     - Fixed support for x86's x32 personality in BPF program.
>     - Reworked seccomp check on size of BPF program to avoid
>       overestimating the required size.
>     - Reworked rewriting of BPF jumps to use placeholders.
>     - Added support for archs with several personalities (not tested yet).
> 
> Chen Jingpiao (2):
>   Introduce seccomp-assisted syscall filtering
>   tests: check seccomp-assisted syscall filtering
> 
> Paul Chaignon (1):
>   filter_seccomp: skip seccomp setup when there's nothing to filter
> 
>  Makefile.am                    |   2 +
>  NEWS                           |   2 +
>  defs.h                         |   4 +
>  filter_seccomp.c               | 627 +++++++++++++++++++++++++++++++++
>  filter_seccomp.h               |  21 ++
>  linux/aarch64/arch_defs_.h     |   2 +
>  linux/ia64/arch_defs_.h        |   1 +
>  linux/powerpc64/arch_defs_.h   |   2 +
>  linux/riscv/arch_defs_.h       |   2 +
>  linux/s390x/arch_defs_.h       |   2 +
>  linux/sparc64/arch_defs_.h     |   2 +
>  linux/tile/arch_defs_.h        |   2 +
>  linux/x32/arch_defs_.h         |   2 +
>  linux/x86_64/arch_defs_.h      |   3 +
>  number_set.c                   |  12 +
>  number_set.h                   |   4 +
>  strace.1.in                    |  21 +-
>  strace.c                       | 100 +++++-
>  tests/.gitignore               |   3 +
>  tests/Makefile.am              |   5 +
>  tests/filter_seccomp-flag.c    |  83 +++++
>  tests/filter_seccomp-perf.c    |  39 ++
>  tests/filter_seccomp-perf.test |  26 ++
>  tests/filter_seccomp.in        |   4 +
>  tests/filter_seccomp.sh        |  14 +
>  tests/gen_tests.in             |   2 +
>  tests/init.sh                  |   5 +
>  tests/pure_executables.list    |   1 +
>  tests/status-none-f.c          |  19 +
>  trace_event.h                  |   5 +
>  30 files changed, 1012 insertions(+), 5 deletions(-)
>  create mode 100644 filter_seccomp.c
>  create mode 100644 filter_seccomp.h
>  create mode 100644 tests/filter_seccomp-flag.c
>  create mode 100644 tests/filter_seccomp-perf.c
>  create mode 100755 tests/filter_seccomp-perf.test
>  create mode 100644 tests/filter_seccomp.in
>  create mode 100755 tests/filter_seccomp.sh
>  create mode 100644 tests/status-none-f.c

Thanks, I think this is ready for master.
My only reservation is that the name of -n option
has no connotation of seccomp-bpf.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190924/765204fd/attachment.bin>

More information about the Strace-devel mailing list