From: Tycho Andersen <tycho-E0fblnxP3wo@public.gmane.org>
To: Christian Brauner <christian-STijNZzMWpgWenYVfaLwtA@public.gmane.org>
Cc: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Akihiro Suda
<suda.akihiro-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org>,
"Eric W . Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Tyler Hicks <tyhicks-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
"Tobin C . Harding" <me-xzjC0nNlxno@public.gmane.org>
Subject: Re: [PATCH v2 1/4] seccomp: add a return code to trap to userspace
Date: Fri, 18 May 2018 09:21:45 -0600 [thread overview]
Message-ID: <20180518152145.GB7699@cisco> (raw)
In-Reply-To: <20180518140415.GB26297-cl+VPiYnx/1AfugRpC6u6w@public.gmane.org>
On Fri, May 18, 2018 at 04:04:16PM +0200, Christian Brauner wrote:
> On Thu, May 17, 2018 at 09:12:15AM -0600, Tycho Andersen wrote:
> > +#ifdef CONFIG_SECCOMP_USER_NOTIFICATION
> > +static u64 seccomp_next_notify_id(struct seccomp_filter *filter)
> > +{
> > + u64 ret = filter->next_id;
> > +
> > + /* Note: overflow is ok here, the id just needs to be unique */
> > + filter->next_id++;
> > +
> > + return ret;
> > +}
>
> Nit: Depending on how averse people are to relying on side-effects this
> could be simplified to:
>
> static inline u64 seccomp_next_notify_id(struct seccomp_filter *filter)
> {
> /* Note: Overflow is ok. The id just needs to be unique. */
> return filter->next_id++;
> }
Oh, yes, definitely. I think this is leftover from when this function
worked a different way.
> > +
> > +static void seccomp_do_user_notification(int this_syscall,
> > + struct seccomp_filter *match,
> > + const struct seccomp_data *sd)
> > +{
> > + int err;
> > + long ret = 0;
> > + struct seccomp_knotif n = {};
> > +
> > + mutex_lock(&match->notify_lock);
> > + if (!match->has_listener) {
> > + err = -ENOSYS;
> > + goto out;
> > + }
>
> Nit:
>
> err = -ENOSYS;
> mutex_lock(&match->notify_lock);
> if (!match->has_listener)
> goto out;
>
> looks cleaner to me or you do the err initalization at the top of the
> function. :)
Ok :)
> > +
> > + n.pid = current->pid;
> > + n.state = SECCOMP_NOTIFY_INIT;
> > + n.data = sd;
> > + n.id = seccomp_next_notify_id(match);
> > + init_completion(&n.ready);
> > +
> > + list_add(&n.list, &match->notifications);
> > +
> > + mutex_unlock(&match->notify_lock);
> > + up(&match->request);
> > +
> > + err = wait_for_completion_interruptible(&n.ready);
> > + mutex_lock(&match->notify_lock);
> > +
> > + /*
> > + * Here it's possible we got a signal and then had to wait on the mutex
> > + * while the reply was sent, so let's be sure there wasn't a response
> > + * in the meantime.
> > + */
> > + if (err < 0 && n.state != SECCOMP_NOTIFY_REPLIED) {
> > + /*
> > + * We got a signal. Let's tell userspace about it (potentially
> > + * again, if we had already notified them about the first one).
> > + */
> > + if (n.state == SECCOMP_NOTIFY_SENT) {
> > + n.state = SECCOMP_NOTIFY_INIT;
> > + up(&match->request);
> > + }
> > + mutex_unlock(&match->notify_lock);
> > + err = wait_for_completion_killable(&n.ready);
> > + mutex_lock(&match->notify_lock);
> > + if (err < 0)
> > + goto remove_list;
> > + }
> > +
> > + ret = n.val;
> > + err = n.error;
> > +
> > + WARN(n.state != SECCOMP_NOTIFY_REPLIED,
> > + "notified about write complete when state is not write");
>
> Nit: That message seems a little cryptic.
Perhaps we can just drop it. It's just a sanity check, but given the
tests above, it doesn't seem likely.
> > +
> > +remove_list:
> > + list_del(&n.list);
> > +out:
> > + mutex_unlock(&match->notify_lock);
> > + syscall_set_return_value(current, task_pt_regs(current),
> > + err, ret);
> > +}
> > +#else
> > +static void seccomp_do_user_notification(int this_syscall,
> > + u32 action,
> > + struct seccomp_filter *match,
> > + const struct seccomp_data *sd)
> > +{
> > + WARN(1, "user notification received, but disabled");
>
> Nit: "received unexpected user notification" might be clearer
Yes, I wonder if we shouldn't just drop this too -- it's not a kernel
bug, but a userspace bug that they're using features that aren't
enabled.
We could enhance the verifier with a static check for
BPF_RET | BPF_K == SECCOMPO_RET_USER_NOTIF and reject such programs if
user notification isn't enabled. Of course, it wouldn't handle the
dynamic case, but it might be useful.
Tycho
WARNING: multiple messages have this Message-ID (diff)
From: Tycho Andersen <tycho@tycho.ws>
To: Christian Brauner <christian@brauner.io>
Cc: linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org,
"Tobin C . Harding" <me@tobin.cc>,
Kees Cook <keescook@chromium.org>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
Oleg Nesterov <oleg@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>
Subject: Re: [PATCH v2 1/4] seccomp: add a return code to trap to userspace
Date: Fri, 18 May 2018 09:21:45 -0600 [thread overview]
Message-ID: <20180518152145.GB7699@cisco> (raw)
In-Reply-To: <20180518140415.GB26297@mailbox.org>
On Fri, May 18, 2018 at 04:04:16PM +0200, Christian Brauner wrote:
> On Thu, May 17, 2018 at 09:12:15AM -0600, Tycho Andersen wrote:
> > +#ifdef CONFIG_SECCOMP_USER_NOTIFICATION
> > +static u64 seccomp_next_notify_id(struct seccomp_filter *filter)
> > +{
> > + u64 ret = filter->next_id;
> > +
> > + /* Note: overflow is ok here, the id just needs to be unique */
> > + filter->next_id++;
> > +
> > + return ret;
> > +}
>
> Nit: Depending on how averse people are to relying on side-effects this
> could be simplified to:
>
> static inline u64 seccomp_next_notify_id(struct seccomp_filter *filter)
> {
> /* Note: Overflow is ok. The id just needs to be unique. */
> return filter->next_id++;
> }
Oh, yes, definitely. I think this is leftover from when this function
worked a different way.
> > +
> > +static void seccomp_do_user_notification(int this_syscall,
> > + struct seccomp_filter *match,
> > + const struct seccomp_data *sd)
> > +{
> > + int err;
> > + long ret = 0;
> > + struct seccomp_knotif n = {};
> > +
> > + mutex_lock(&match->notify_lock);
> > + if (!match->has_listener) {
> > + err = -ENOSYS;
> > + goto out;
> > + }
>
> Nit:
>
> err = -ENOSYS;
> mutex_lock(&match->notify_lock);
> if (!match->has_listener)
> goto out;
>
> looks cleaner to me or you do the err initalization at the top of the
> function. :)
Ok :)
> > +
> > + n.pid = current->pid;
> > + n.state = SECCOMP_NOTIFY_INIT;
> > + n.data = sd;
> > + n.id = seccomp_next_notify_id(match);
> > + init_completion(&n.ready);
> > +
> > + list_add(&n.list, &match->notifications);
> > +
> > + mutex_unlock(&match->notify_lock);
> > + up(&match->request);
> > +
> > + err = wait_for_completion_interruptible(&n.ready);
> > + mutex_lock(&match->notify_lock);
> > +
> > + /*
> > + * Here it's possible we got a signal and then had to wait on the mutex
> > + * while the reply was sent, so let's be sure there wasn't a response
> > + * in the meantime.
> > + */
> > + if (err < 0 && n.state != SECCOMP_NOTIFY_REPLIED) {
> > + /*
> > + * We got a signal. Let's tell userspace about it (potentially
> > + * again, if we had already notified them about the first one).
> > + */
> > + if (n.state == SECCOMP_NOTIFY_SENT) {
> > + n.state = SECCOMP_NOTIFY_INIT;
> > + up(&match->request);
> > + }
> > + mutex_unlock(&match->notify_lock);
> > + err = wait_for_completion_killable(&n.ready);
> > + mutex_lock(&match->notify_lock);
> > + if (err < 0)
> > + goto remove_list;
> > + }
> > +
> > + ret = n.val;
> > + err = n.error;
> > +
> > + WARN(n.state != SECCOMP_NOTIFY_REPLIED,
> > + "notified about write complete when state is not write");
>
> Nit: That message seems a little cryptic.
Perhaps we can just drop it. It's just a sanity check, but given the
tests above, it doesn't seem likely.
> > +
> > +remove_list:
> > + list_del(&n.list);
> > +out:
> > + mutex_unlock(&match->notify_lock);
> > + syscall_set_return_value(current, task_pt_regs(current),
> > + err, ret);
> > +}
> > +#else
> > +static void seccomp_do_user_notification(int this_syscall,
> > + u32 action,
> > + struct seccomp_filter *match,
> > + const struct seccomp_data *sd)
> > +{
> > + WARN(1, "user notification received, but disabled");
>
> Nit: "received unexpected user notification" might be clearer
Yes, I wonder if we shouldn't just drop this too -- it's not a kernel
bug, but a userspace bug that they're using features that aren't
enabled.
We could enhance the verifier with a static check for
BPF_RET | BPF_K == SECCOMPO_RET_USER_NOTIF and reject such programs if
user notification isn't enabled. Of course, it wouldn't handle the
dynamic case, but it might be useful.
Tycho
next prev parent reply other threads:[~2018-05-18 15:21 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-17 15:12 [PATCH v2 0/4] seccomp trap to userspace Tycho Andersen
2018-05-17 15:12 ` Tycho Andersen
2018-05-17 15:12 ` [PATCH v2 1/4] seccomp: add a return code to " Tycho Andersen
[not found] ` <20180517151218.12850-2-tycho-E0fblnxP3wo@public.gmane.org>
2018-05-17 15:33 ` Oleg Nesterov
2018-05-19 0:14 ` kbuild test robot
2018-05-19 5:01 ` kbuild test robot
2018-05-19 5:01 ` kbuild test robot
[not found] ` <201805191041.sVHKG1E9%fengguang.wu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-05-21 22:55 ` Tycho Andersen
2018-05-21 22:55 ` Tycho Andersen
2018-05-17 15:33 ` Oleg Nesterov
2018-05-17 15:39 ` Tycho Andersen
2018-05-17 15:46 ` Oleg Nesterov
[not found] ` <20180517154637.GC8586-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-05-24 15:28 ` Tycho Andersen
2018-05-24 15:28 ` Tycho Andersen
2018-05-17 15:46 ` Oleg Nesterov
[not found] ` <20180517153323.GA8586-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-05-17 15:39 ` Tycho Andersen
2018-05-18 14:04 ` Christian Brauner
[not found] ` <20180518140415.GB26297-cl+VPiYnx/1AfugRpC6u6w@public.gmane.org>
2018-05-18 15:21 ` Tycho Andersen [this message]
2018-05-18 15:21 ` Tycho Andersen
2018-05-19 0:14 ` kbuild test robot
2018-05-17 15:12 ` [PATCH v2 2/4] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
[not found] ` <20180517151218.12850-1-tycho-E0fblnxP3wo@public.gmane.org>
2018-05-17 15:12 ` [PATCH v2 1/4] seccomp: add a return code to trap to userspace Tycho Andersen
2018-05-17 15:12 ` [PATCH v2 2/4] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
2018-05-17 15:12 ` [PATCH v2 3/4] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-05-17 15:12 ` [PATCH v2 4/4] seccomp: add support for passing fds via USER_NOTIF Tycho Andersen
2018-05-17 15:12 ` [PATCH v2 3/4] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
[not found] ` <20180517151218.12850-4-tycho-E0fblnxP3wo@public.gmane.org>
2018-05-17 15:41 ` Oleg Nesterov
2018-05-17 15:41 ` Oleg Nesterov
[not found] ` <20180517154139.GB8586-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-05-17 15:57 ` Tycho Andersen
2018-05-17 15:57 ` Tycho Andersen
2018-05-17 15:59 ` Tycho Andersen
2018-05-17 15:59 ` Tycho Andersen
2018-05-18 14:05 ` Christian Brauner
[not found] ` <20180518140556.GC26297-cl+VPiYnx/1AfugRpC6u6w@public.gmane.org>
2018-05-18 15:10 ` Tycho Andersen
2018-05-18 15:10 ` Tycho Andersen
2018-05-17 15:12 ` [PATCH v2 4/4] seccomp: add support for passing fds via USER_NOTIF Tycho Andersen
2018-05-18 14:03 ` [PATCH v2 0/4] seccomp trap to userspace Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180518152145.GB7699@cisco \
--to=tycho-e0fblnxp3wo@public.gmane.org \
--cc=christian-STijNZzMWpgWenYVfaLwtA@public.gmane.org \
--cc=christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=me-xzjC0nNlxno@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=suda.akihiro-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org \
--cc=tyhicks-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.