headers
Indan Zupancic | 1 Feb 02:36
Picon

Re: [PATCH v5 2/3] seccomp_filters: system call filtering using BPF

On Tue, January 31, 2012 12:04, Will Drewry wrote:
> On Mon, Jan 30, 2012 at 7:42 PM, Indan Zupancic <indan <at> nul.nu> wrote:
>>> I vote for:
>>>
>>> 3. Add tracehook support to all archs.
>
> I don't see these #3 as mutually exclusive :)

They are if you really add tracehook support to all archs. ;-)

> tracehook requires:
> - task_pt_regs()          in asm/processor.h or asm/ptrace.h
> - arch_has_single_step()  if there is hardware single-step support
> - arch_has_block_step()   if there is hardware block-step support
> - asm/syscall.h           supplying asm-generic/syscall.h interface
> - linux/regset.h          user_regset interfaces
> - CORE_DUMP_USE_REGSET    #define'd in linux/elf.h
> -TIF_SYSCALL_TRACE       calls tracehook_report_syscall_{entry,exit}
> - TIF_NOTIFY_RESUME       calls tracehook_notify_resume()
> - signal delivery         calls tracehook_signal_handler()

Okay, that's a bit fuzzier than I expected. I suppose the archs implement
some of that in another way currently?

>>> Maybe not all archs, but at least some more. That way, every time someone
>>> adds something tracehook specific, more archs support it.
>
> Well the other arch I want this on specifically for my purposes is
> arm, but someone recently posted a partial asm/syscall.h for arm, but
> I didn't see that one go anywhere just yet.  (I know syscall_get_nr
(Continue reading)

Permalink | Reply | 3 comments |
headers
Will Drewry | 1 Feb 10:02

Re: [PATCH v5 2/3] seccomp_filters: system call filtering using BPF

On Tue, Jan 31, 2012 at 5:36 PM, Indan Zupancic <indan <at> nul.nu> wrote:
> On Tue, January 31, 2012 12:04, Will Drewry wrote:
>> On Mon, Jan 30, 2012 at 7:42 PM, Indan Zupancic <indan <at> nul.nu> wrote:
>>>> I vote for:
>>>>
>>>> 3. Add tracehook support to all archs.
>>
>> I don't see these #3 as mutually exclusive :)
>
> They are if you really add tracehook support to all archs. ;-)
>
>> tracehook requires:
>> - task_pt_regs()          in asm/processor.h or asm/ptrace.h
>> - arch_has_single_step()  if there is hardware single-step support
>> - arch_has_block_step()   if there is hardware block-step support
>> - asm/syscall.h           supplying asm-generic/syscall.h interface
>> - linux/regset.h          user_regset interfaces
>> - CORE_DUMP_USE_REGSET    #define'd in linux/elf.h
>> -TIF_SYSCALL_TRACE       calls tracehook_report_syscall_{entry,exit}
>> - TIF_NOTIFY_RESUME       calls tracehook_notify_resume()
>> - signal delivery         calls tracehook_signal_handler()
>
> Okay, that's a bit fuzzier than I expected. I suppose the archs implement
> some of that in another way currently?
>
>>>> Maybe not all archs, but at least some more. That way, every time someone
>>>> adds something tracehook specific, more archs support it.
>>
>> Well the other arch I want this on specifically for my purposes is
>> arm, but someone recently posted a partial asm/syscall.h for arm, but
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mr. David M Lee | 1 Feb 12:51
Picon

Hello This is Mr. David M Lee from Bank of America I have by information you that we receiver an ATM card on your name so you have to get back to this office as soon as you receiver this mail today so that we will let you know what to do next okay?

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Chris Mason | 1 Feb 17:45
Picon
Favicon

Re: [Lsf-pc] [LSF/MM TOPIC] end-to-end data and metadata corruption detection

On Tue, Jan 31, 2012 at 11:28:26AM -0800, Gregory Farnum wrote:
> On Tue, Jan 31, 2012 at 11:22 AM, Bernd Schubert
> <bernd.schubert <at> itwm.fraunhofer.de> wrote:
> > I guess we should talk to developers of other parallel file systems and see
> > what they think about it. I think cephfs already uses data integrity
> > provided by btrfs, although I'm not entirely sure and need to check the
> > code. As I said before, Lustre does network checksums already and *might* be
> > interested.
> 
> Actually, right now Ceph doesn't check btrfs' data integrity
> information, but since Ceph doesn't have any data-at-rest integrity
> verification it relies on btrfs if you want that. Integrating
> integrity verification throughout the system is on our long-term to-do
> list.
> We too will be said if using a kernel-level integrity system requires
> using DIO, although we could probably work out a way to do
> "translation" between our own integrity checksums and the
> btrfs-generated ones if we have to (thanks to replication).

DIO isn't really required, but doing this without synchronous writes
will get painful in a hurry.  There's nothing wrong with letting the
data sit in the page cache after the IO is done though.

-chris

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Continue reading)

Permalink | Reply | 11 comments |
headers
James Bottomley | 1 Feb 17:52

Re: [Lsf-pc] [LSF/MM TOPIC] end-to-end data and metadata corruption detection

On Wed, 2012-02-01 at 11:45 -0500, Chris Mason wrote:
> On Tue, Jan 31, 2012 at 11:28:26AM -0800, Gregory Farnum wrote:
> > On Tue, Jan 31, 2012 at 11:22 AM, Bernd Schubert
> > <bernd.schubert <at> itwm.fraunhofer.de> wrote:
> > > I guess we should talk to developers of other parallel file systems and see
> > > what they think about it. I think cephfs already uses data integrity
> > > provided by btrfs, although I'm not entirely sure and need to check the
> > > code. As I said before, Lustre does network checksums already and *might* be
> > > interested.
> > 
> > Actually, right now Ceph doesn't check btrfs' data integrity
> > information, but since Ceph doesn't have any data-at-rest integrity
> > verification it relies on btrfs if you want that. Integrating
> > integrity verification throughout the system is on our long-term to-do
> > list.
> > We too will be said if using a kernel-level integrity system requires
> > using DIO, although we could probably work out a way to do
> > "translation" between our own integrity checksums and the
> > btrfs-generated ones if we have to (thanks to replication).
> 
> DIO isn't really required, but doing this without synchronous writes
> will get painful in a hurry.  There's nothing wrong with letting the
> data sit in the page cache after the IO is done though.

I broadly agree with this, but even if you do sync writes and cache read
only copies, we still have the problem of how we do the read side
verification of DIX.  In theory, when you read, you could either get the
cached copy or an actual read (which will supply protection
information), so for the cached copy we need to return cached protection
information implying that we need some way of actually caching it.
(Continue reading)

Permalink | Reply | 10 comments |
headers
Roland McGrath | 1 Feb 18:34
Picon
Favicon

Re: [PATCH v5 2/3] seccomp_filters: system call filtering using BPF

On Tue, Jan 31, 2012 at 5:36 PM, Indan Zupancic <indan <at> nul.nu> wrote:
>> ref: http://lkml.indiana.edu/hypermail/linux/kernel/0906.3/00096.html
>
> That's 2009! I wonder why no progress happened since then.

At that time I did most of all the CONFIG_HAVE_ARCH_TRACEHOOK work for ARM.
The ARM kernel maintainers just weren't interested in paying attention, and
I gave up on hounding them.  Since then, only a subset of what I did before
has actually been done and merged.  (e.g. there is now some user_regset
support, but less than what I implemented and posted originally--so for
some ARM variants there is still register information only accessible via
old ptrace calls but not in core dumps and no PTRACE_GETREGSET support.
The really trivial stuff like using tracehook_report_* still hasn't gone
in, though I posted that code back then too.)

Thanks,
Roland
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Kees Cook | 1 Feb 19:14

Re: [PATCH v3 1/4] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto <at> amacapital.net> wrote:
> With this set, a lot of dangerous operations (chroot, unshare, etc)
> become a lot less dangerous because there is no possibility of
> subverting privileged binaries.
>
> This patch completely breaks apparmor.  Someone who understands (and
> uses) apparmor should fix it or at least give me a hint.
>
> Signed-off-by: Andy Lutomirski <luto <at> amacapital.net>

Looking forward to this -- it'll give us a lot more flexibility.

Reviewed-by: Kees Cook <keescook <at> chromium.org>

--

-- 
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Kees Cook | 1 Feb 20:02

Re: [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs

On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto <at> amacapital.net> wrote:
> They are normally disallowed because they could be used to subvert
> setuid programs.  But if setuid is disabled, then they are safe.
>
> Signed-off-by: Andy Lutomirski <luto <at> amacapital.net>
> ---
>  kernel/nsproxy.c |    8 +++++++-
>  1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> index b576f7f..47cf873 100644
> --- a/kernel/nsproxy.c
> +++ b/kernel/nsproxy.c
> @@ -191,7 +191,13 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
>                               CLONE_NEWNET)))
>                return 0;
>
> -       if (!capable(CAP_SYS_ADMIN))
> +       /* We require either no_new_privs or CAP_SYS_ADMIN for all modes */
> +       if (!current->no_new_privs && !capable(CAP_SYS_ADMIN))
> +               return -EPERM;
> +
> +       /* NEWNS and NEWNET always require CAP_SYS_ADMIN. */
> +       if ((unshare_flags & (CLONE_NEWNS | CLONE_NEWNET)) &&
> +           !capable(CAP_SYS_ADMIN))
>                return -EPERM;
>
>        *new_nsp = create_new_namespaces(unshare_flags, current,

While I think it's unlikely that the list handled by
(Continue reading)

Permalink | Reply | 1 comment |
headers
Andrea Arcangeli | 1 Feb 19:30
Picon
Favicon

Re: [Lsf-pc] [LSF/MM TOPIC] end-to-end data and metadata corruption detection

On Wed, Feb 01, 2012 at 12:16:05PM -0600, James Bottomley wrote:
> supplying protection information to user space isn't about the
> application checking what's on disk .. there's automatic verification in
> the chain to do that (both the HBA and the disk will check the
> protection information on entry/exit and transfer).  Supplying
> protection information to userspace is about checking nothing went wrong
> in the handoff between the end of the DIF stack and the application.

Not sure if I got this right, but keeping protection information for
in-ram pagecache and exposing it to userland somehow, to me sounds a
bit of overkill as a concept. Then you should want that for anonymous
memory too. If you copy the pagecache to a malloc()ed buffer and
verify pagecache was consistent, but then the buffer is corrupt by
hardware bitflip or software bug, then what's the point. Besides if
this is getting exposed to userland and it's not hidden in the kernel
(FS/Storage layers), userland could code its own verification logic
without much added complexity. With CRC in hardware on the CPU it
doesn't sound like a big cost to do it fully in userland and then you
could run it on anonymous memory too if you need and not be dependent
on hardware or filesystem details (well other than a a cpuid check at
startup).
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 4 comments |
headers
Kai Bankett | 1 Feb 21:41

[PATCH]QNX6 filesystem (RO) driver

Hi,

Onhttp://a6.ontika.net/patches/patch-3.2.2-qnx6.gz  you find a patch for
adding QNX6 FS readonly support (against 3.2.2) to the linux kernel.
(well, at least I would like to open the discussion about it ... ;))

It's the first linux kernel driver I wrote, so please be kind to me in
case some of my design decisions do violate some "common practice" well
known to any regular reader of this list.
I am very happy to work on the source in the "right" direction, if you
suggest me the direction.
So, suggestions, feedback, input, testing is highly welcome!

I reverse engineered - I would say - whole QNX6 Filesystem from ground
up. (hexedit, from superblock identification to adressing scheme to node
kinds etc.)
Successfully completed writing a FS resizing application before starting
work on this kernel driver.
(so you can expect more than just readonly to come ...)

Some sidenotes worth mentioning:
- Audi MMI FS support
I've included support for the Audi MMI HDD filesystem (who's driving a
recent Audi with 3G or 3G+ HDD multimedia system?)
So I've added a "mmi_fs" mount option to tell the driver to use the
right superblock layout and -offset for mounting that "modified" or "old
development state" QNX6 derivate filesystem.
Not sure if a mount option is the usual approach, but it workes well -
at least for me.
I took the decision to make that specific driver support configurable
(Continue reading)

Permalink | Reply | 22 comments |

Gmane