From: Tycho Andersen <tycho@tycho.ws>
To: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>,
kernel list <linux-kernel@vger.kernel.org>,
containers@lists.linux-foundation.org,
Linux API <linux-api@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>,
suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" <me@tobin.cc>
Subject: Re: [PATCH v4 1/4] seccomp: add a return code to trap to userspace
Date: Thu, 21 Jun 2018 19:39:14 -0600 [thread overview]
Message-ID: <20180622013914.GL3992@cisco> (raw)
In-Reply-To: <CAG48ez1Wob-CrbrPfgP_OBoG7zas4bJwFdLFFQLtgQAkj+HEOQ@mail.gmail.com>
On Fri, Jun 22, 2018 at 03:28:24AM +0200, Jann Horn wrote:
> On Fri, Jun 22, 2018 at 2:58 AM Tycho Andersen <tycho@tycho.ws> wrote:
> >
> > On Fri, Jun 22, 2018 at 01:21:47AM +0200, Jann Horn wrote:
> > > On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen <tycho@tycho.ws> wrote:
> > > [...]
> > > > +
> > > > +static void seccomp_do_user_notification(int this_syscall,
> > > > + struct seccomp_filter *match,
> > > > + const struct seccomp_data *sd)
> > > > +{
> > > > + int err;
> > > > + long ret = 0;
> > > > + struct seccomp_knotif n = {};
> > > > +
> > > > + mutex_lock(&match->notify_lock);
> > > > + err = -ENOSYS;
> > > > + if (!match->has_listener)
> > > > + goto out;
> > > > +
> > > > + n.pid = task_pid(current);
> > > > + n.state = SECCOMP_NOTIFY_INIT;
> > > > + n.data = sd;
> > > > + n.id = seccomp_next_notify_id(match);
> > > > + init_completion(&n.ready);
> > > > +
> > > > + list_add(&n.list, &match->notifications);
> > > > + wake_up_poll(&match->wqh, EPOLLIN | EPOLLRDNORM);
> > > > +
> > > > + mutex_unlock(&match->notify_lock);
> > > > + up(&match->request);
> > > > +
> > > > + err = wait_for_completion_interruptible(&n.ready);
> > > > + mutex_lock(&match->notify_lock);
> > > > +
> > > > + /*
> > > > + * Here it's possible we got a signal and then had to wait on the mutex
> > > > + * while the reply was sent, so let's be sure there wasn't a response
> > > > + * in the meantime.
> > > > + */
> > > > + if (err < 0 && n.state != SECCOMP_NOTIFY_REPLIED) {
> > > > + /*
> > > > + * We got a signal. Let's tell userspace about it (potentially
> > > > + * again, if we had already notified them about the first one).
> > > > + */
> > > > + if (n.state == SECCOMP_NOTIFY_SENT) {
> > > > + n.state = SECCOMP_NOTIFY_INIT;
> > > > + up(&match->request);
> > > > + }
> > > > + mutex_unlock(&match->notify_lock);
> > > > + err = wait_for_completion_killable(&n.ready);
> > >
> > > Does this mean that when you get a signal that isn't SIGKILL,
> > > wait_for_completion_interruptible() will bail out with -ERESTARTSYS,
> > > but then you hang on this wait_for_completion_killable()? I don't
> > > understand what's going on here. What's the point of using
> > > wait_for_completion_interruptible() when you'll just hang on another
> > > wait on the same "struct completion"?
> >
> > This is the implementation of this suggestion by Andy:
> > https://lkml.org/lkml/2018/3/15/1122
> >
> > The idea is to alert the listener that there was a signal exactly
> > once, in case it's in the middle of processing a request it could bail
> > out and do something else. So the killable wait is intended to ignore
> > other (non-fatal) signals after the first one and wait for whatever
> > the handler decides to do with the signal it received.
>
> How can the listener tell that a signal arrived? When the first
> non-fatal signal comes in, you just set the state to
> SECCOMP_NOTIFY_INIT if it was SECCOMP_NOTIFY_SENT, right? So the
> listener will potentially see the request twice, but with no
> additional indicator that a signal arrived? And in particular, if the
> listener doesn't read the request before the signal arrives, it will
> only see the request once, just as if it was a normal request with no
> signals involved?
I was thinking just parsing /proc/pid/status (given that people are
already going to be mapping things in /proc/pid/map_files to read
arguments and stuff, I didn't think too much of it),
> Would it perhaps make sense to add a field to struct seccomp_notif
> that indicates whether the notification is for a normal syscall or a
> canceled syscall?
Sure, I'll add a __u32 signal and set it to the value of the signal if
we got one.
Thanks!
Tycho
next prev parent reply other threads:[~2018-06-22 1:39 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-21 22:04 [PATCH v4 0/4] seccomp trap to userspace Tycho Andersen
2018-06-21 22:04 ` [PATCH v4 1/4] seccomp: add a return code to " Tycho Andersen
2018-06-21 23:21 ` Jann Horn
2018-06-22 0:58 ` Tycho Andersen
2018-06-22 1:28 ` Jann Horn
2018-06-22 1:39 ` Tycho Andersen [this message]
2018-06-22 14:40 ` Jann Horn
2018-06-22 15:15 ` Tycho Andersen
2018-06-22 16:24 ` Jann Horn
2018-06-22 18:09 ` Andy Lutomirski
2018-06-22 21:51 ` Kees Cook
2018-06-22 22:27 ` Jann Horn
2018-06-26 1:32 ` Tycho Andersen
2018-06-26 2:00 ` Andy Lutomirski
2018-06-21 22:04 ` [PATCH v4 2/4] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
2018-06-21 22:04 ` [PATCH v4 3/4] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-06-21 22:48 ` Jann Horn
2018-06-21 23:07 ` Tycho Andersen
2018-06-21 22:04 ` [PATCH v4 4/4] seccomp: add support for passing fds via USER_NOTIF Tycho Andersen
2018-06-21 23:34 ` Jann Horn
2018-06-22 0:51 ` Tycho Andersen
2018-06-22 16:23 ` Jann Horn
2018-06-22 18:21 ` Andy Lutomirski
2018-08-07 2:44 ` [PATCH v4 0/4] seccomp trap to userspace Tycho Andersen
2018-08-07 2:57 ` Andy Lutomirski
2018-08-07 3:30 ` Christian Brauner
2018-08-07 4:19 ` Andy Lutomirski
2018-08-07 12:23 ` Christian Brauner
2018-08-07 14:34 ` James Bottomley
2018-08-10 0:31 ` Dinesh Subhraveti
[not found] ` <CAP4sa4+rODVahad2hW-L3h7k6fkfGBsoCfDfBVuMwp3Aaie2KA@mail.gmail.com>
2018-08-11 2:32 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180622013914.GL3992@cisco \
--to=tycho@tycho.ws \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=me@tobin.cc \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.