ARM audit, seccomp, etc are broken wrt OABI syscalls
Andy Lutomirski
luto at amacapital.net
Tue Nov 5 22:22:42 EST 2013
On Tue, Nov 5, 2013 at 4:40 PM, Russell King - ARM Linux
<linux at arm.linux.org.uk> wrote:
> On Tue, Nov 05, 2013 at 04:14:49PM -0800, Kees Cook wrote:
>> I would agree: option 1 seems cleanest of the 3. 3 is sort of like a
>> built-in automatic check for a mismatched arch, so maybe that works
>> better?
>>
>> Alternatively, CONFIG_SECCOMP_FILTER could depend on
>> !CONFIG_OABI_COMPAT. That seems like the least work, given the desire
>> to kill OABI in the real world. (Though I would note that at least
>> Ubuntu's ARM kernels build with CONFIG_OABI_COMPAT; Chrome OS does
>> not.)
>
> OABI compat is really only something you want to deal with if you have
> a reason to run OABI programs on the kernel; it is in no way guaranteed
> that the OABI programs will run properly (many ALSA programs will not
> because of different layouts with ioctls).
>
> OABI compat was meant to allow a transition from OABI to EABI. While
> a lot of effort went in to the kernel side of that, which does allow
> OABI based userspace to boot with an EABI kernel, and allows OABI built
> test programs to run under an EABI kernel, actually being able to
> migrate userland is far from trivial - and something that I've never
> been able to do. Hence, virtually all my long-running ARM machines
> here are stuck with OABI, and I don't see that situation ever changing.
>
> As a rule, distros should not be enabling OABI compat. OABI compat
> is more something that a developer (like me) who has a reason to enable
> it turns it on.
So I guess that audit, ptrace, etc. work on OABI because the userspace
tools expect the OABI syscall conventions and they work on EABI for
the same reason, everything is subtly broken on OABI compat. Adding a
new AUDIT_ARCH_ARMOABI is probably bad, then, unless it only applies
to OABI compat kernels. Similarly, bumping the syscall numbers is
probably also bad. (Arguably the audit arch should have been
AUDIT_ARCH_ARMEABI from the beginning -- too late now.)
Maybe the thing to do is to put a warning in the config text for
CONFIG_OABI_COMPAT that describes the problems (malicious userspace
can confuse syscall auditors, strace, etc.), change the "if in doubt"
part to N, and disable seccomp filters if CONFIG_OABI_COMPAT. That
might even get Debian to change their default.
--Andy
More information about the linux-arm-kernel
mailing list