[RFC PATCH 05/13] x86/um: nommu: syscall translation by zpoline
Hajime Tazaki
thehajime at gmail.com
Mon Oct 28 00:47:28 PDT 2024
Hello,
On Sun, 27 Oct 2024 18:45:39 +0900,
Johannes Berg wrote:
>
> On Sat, 2024-10-26 at 16:36 +0900, Hajime Tazaki wrote:
> >
> > Originally our patchset had a whitelist-based seccomp filter (w/
> > SCMP_ACT_ALLOW), but dropped from this RFC as I found that 1) this is
> > not the !MMU specific feature (it can be generally applied to all UML
> > use cases), and 2) we cannot prevent a syscall (e.g., ioctl(2)) from
> > userspace which is white-listed in our seccomp filter, thus the newly
> > introduced filter may not be perfect.
> >
> > the maintenance of the whitelist is also not easy; the syscall used in
> > one version is renamed at some point in future (what I faced is
> > SCMP_SYS(open) should be renamed with SCMP_SYS(openat)).
>
> Sure, agree that would be awful. However, only kernel code should be
> making real host syscalls, never userspace code, so you should be able
> to filter simply based on address? Since it's NOMMU there's a single
> process and a single address space, and userspace binaries always have
> to be in certain places, I'd think?
Yes, the address which issued syscall instruction should be able to
identify.
> This should be cheap since
> (a) it's not doing anything with (guest) syscalls that were already
> rewritten by zpoline (they don't exist as host syscalls)
> (b) while the real host syscalls made by the kernel would still be
> checked by the filter program, it'd just return "sure that's OK"
> and not redirect anything
totally makes sense to me and the filter is nice to have.
I'm going to investigate to implement it as a seccomp filter.
thanks for the idea,
-- Hajime
More information about the linux-um
mailing list