Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: add support for SECCOMP_RET_KILL_PROCESS #96

Closed
pcmoore opened this issue Sep 22, 2017 · 11 comments
Closed

RFE: add support for SECCOMP_RET_KILL_PROCESS #96

pcmoore opened this issue Sep 22, 2017 · 11 comments
Labels
enhancement priority/medium
Milestone
v2.4

Comments

@pcmoore
Copy link
Member

pcmoore commented Sep 22, 2017

@kees added support for killing the entire process upstream, as of this moment it has yet to land in Linus' tree, but it will get their eventually.
@pcmoore
Copy link
Member Author

pcmoore commented Jan 18, 2018

Update: the patch is not upstream, the relevant kernel header files are defined in the commit below.

commit 0466bdb99e8744bc9befa8d62a317f0fd7fd7421
Author: Kees Cook
Date:   Fri Aug 11 13:12:11 2017 -0700

seccomp: Implement SECCOMP_RET_KILL_PROCESS action

Right now, SECCOMP_RET_KILL_THREAD (neé SECCOMP_RET_KILL) kills the
current thread. There have been a few requests for this to kill the entire
process (the thread group). This cannot be just changed (discovered when
adding coredump support since coredumping kills the entire process)
because there are userspace programs depending on the thread-kill
behavior.

Instead, implement SECCOMP_RET_KILL_PROCESS, which is 0x80000000, and can
be processed as "-1" by the kernel, below the existing RET_KILL that is
ABI-set to "0". For userspace, SECCOMP_RET_ACTION_FULL is added to expand
the mask to the signed bit. Old userspace using the SECCOMP_RET_ACTION
mask will see SECCOMP_RET_KILL_PROCESS as 0 still, but this would only
be visible when examining the siginfo in a core dump from a RET_KILL_*,
where it will think it was thread-killed instead of process-killed.

Attempts to introduce this behavior via other ways (filter flags,
seccomp struct flags, masked RET_DATA bits) all come with weird
side-effects and baggage. This change preserves the central behavioral
expectations of the seccomp filter engine without putting too great
a burden on changes needed in userspace to use the new action.

The new action is discoverable by userspace through either the new
actions_avail sysctl or through the SECCOMP_GET_ACTION_AVAIL seccomp
operation. If used without checking for availability, old kernels
will treat RET_KILL_PROCESS as RET_KILL_THREAD (since the old mask
will produce RET_KILL_THREAD).

Cc: Paul Moore <paul@paul-moore.com>
Cc: Fabricio Voznika <fvoznika@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>

@pcmoore pcmoore added this to the v2.4 milestone Jan 18, 2018
@kloetzl kloetzl mentioned this issue Feb 14, 2018
Closed
@pcmoore
Copy link
Member Author

pcmoore commented Feb 16, 2018

See potentially related issue with OpenMP in issue #93.

@pcmoore
Copy link
Member Author

pcmoore commented Feb 21, 2018

See PR #109.

@drakenclimber
Copy link
Member

@pcmoore, I'll rebase and squash the commits for this PR. I should be able to get to them this week. Thanks!

@pcmoore
Copy link
Member Author

pcmoore commented Apr 12, 2018

@drakenclimber that would be helpful thank you. Please don't feel the need to squash everything. It sounds like you are familiar with upstream kernel development; if you use that as a guideline you should be in good shape.

drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Apr 13, 2018
@drakenclimber
api: Add support for SCMP_ACT_KILL_PROCESS
71125de 
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.

This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
@drakenclimber
Copy link
Member

D'oh. Just saw your comment. I squashed everything into one commit, but I think I'll split this RFE into two commits - one for the actual code changes and one for the tests. Thanks.

drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Apr 13, 2018
@drakenclimber
api: Add support for SCMP_ACT_KILL_PROCESS
6aec503 
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.

This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Apr 13, 2018
@drakenclimber
tests: Add tests for SECCOMP_RET_KILL_PROCESS
c8821a5 
This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
@pcmoore
Copy link
Member Author

pcmoore commented Jul 16, 2018

Quick update, it looks like support was added back into Linux v4.14.

otubo pushed a commit to otubo/qemu that referenced this issue Jul 25, 2018
@elmarco @otubo
RFC: seccomp: prefer SCMP_ACT_KILL_PROCESS if available
5b2f593 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
@elmarco
Copy link

elmarco commented Aug 16, 2018

any update on this feature?

@pcmoore
Copy link
Member Author

pcmoore commented Aug 16, 2018

Sorry @elmarco not yet.

otubo pushed a commit to otubo/qemu that referenced this issue Aug 22, 2018
@elmarco @otubo
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
7fa92d0 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
otubo pushed a commit to otubo/qemu that referenced this issue Aug 23, 2018
@elmarco @otubo
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
bda08a5 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
yuvalshaia pushed a commit to yuvalshaia/qemu that referenced this issue Sep 6, 2018
@elmarco
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
de67bec 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Sep 17, 2018
@drakenclimber
api: Add support for SCMP_ACT_KILL_PROCESS
737708a 
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.

This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Sep 17, 2018
@drakenclimber
tests: Add tests for SECCOMP_RET_KILL_PROCESS
d616f4d 
This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
@drakenclimber
Copy link
Member

@pcmoore - I have rebased the proposed changes on top of the latest master. Looks like TravisCI was happy with them :)

Let me know if there's anything else you need for this RFE.

https://github.com/drakenclimber/libseccomp/tree/issues/96-squashed4

drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Sep 19, 2018
@drakenclimber
api: Add support for SCMP_ACT_KILL_PROCESS
be7d082 
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.

This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
drakenclimber added a commit to drakenclimber/libseccomp that referenced this issue Sep 19, 2018
@drakenclimber
tests: Add tests for SECCOMP_RET_KILL_PROCESS
45af76c 
This addresses GitHub Issue seccomp#96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
@drakenclimber drakenclimber mentioned this issue Sep 19, 2018
Closed
pcmoore pushed a commit that referenced this issue Sep 19, 2018
@drakenclimber @pcmoore
api: Add support for SCMP_ACT_KILL_PROCESS
b2f15f3 
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.

This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
pcmoore pushed a commit that referenced this issue Sep 19, 2018
@drakenclimber @pcmoore
tests: Add tests for SECCOMP_RET_KILL_PROCESS
82cc261 
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
@pcmoore
Copy link
Member Author

pcmoore commented Sep 19, 2018

Resolved with PR #130.

@pcmoore pcmoore closed this as completed Sep 19, 2018
larrydewey pushed a commit to openSUSE/qemu that referenced this issue Oct 5, 2018
@elmarco @larrydewey
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
6edbf80 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit bda08a5)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
yashkmankad pushed a commit to yashkmankad/qemu that referenced this issue Dec 5, 2018
@otubo
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
caa17bc 
RH-Author: Eduardo Otubo <otubo@redhat.com>
Message-id: <20180928075639.16746-4-otubo@redhat.com>
Patchwork-id: 82315
O-Subject: [RHEL-8 qemu-kvm PATCH 3/5] seccomp: prefer SCMP_ACT_KILL_PROCESS if available
Bugzilla: 1618356
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>

From: Marc-André Lureau <marcandre.lureau@redhat.com>

commit bda08a5
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date:   Wed Aug 22 19:02:48 2018 +0200

    seccomp: prefer SCMP_ACT_KILL_PROCESS if available

    The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
    action (seccomp/libseccomp#96).

    SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
    offending process, rather than having the SIGSYS handler running.

    Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
    as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
    prefer SCMP_ACT_TRAP.

    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
    Acked-by: Eduardo Otubo <otubo@redhat.com>

Signed-off-by: Eduardo Otubo <otubo@rehdat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
mdroth pushed a commit to mdroth/qemu that referenced this issue Apr 4, 2019
@elmarco @mdroth
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
9ad3314 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit bda08a5)
*CVE-2018-15746
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
bfrogers pushed a commit to openSUSE/qemu that referenced this issue Mar 31, 2021
@elmarco @bfrogers
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
bf6f9e0 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit bda08a5)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
bfrogers pushed a commit to openSUSE/qemu that referenced this issue Mar 31, 2021
@elmarco @bfrogers
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
79b95cc 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit bda08a5)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
bfrogers pushed a commit to openSUSE/qemu that referenced this issue Mar 31, 2021
@elmarco @bfrogers
seccomp: prefer SCMP_ACT_KILL_PROCESS if available
95b56b9 
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (seccomp/libseccomp#96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit bda08a5)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement priority/medium
Projects
None yet
Milestone
v2.4
Development

No branches or pull requests
3 participants
@elmarco @drakenclimber @pcmoore