From: Tycho Andersen <tycho@tycho.ws>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian@brauner.io>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
Aleksa Sarai <asarai@suse.de>,
linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org, linux-api@vger.kernel.org
Subject: Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace
Date: Tue, 30 Oct 2018 09:54:03 -0600 [thread overview]
Message-ID: <20181030155403.GC7343@cisco> (raw)
In-Reply-To: <20181030150254.GB3385@redhat.com>
On Tue, Oct 30, 2018 at 04:02:54PM +0100, Oleg Nesterov wrote:
> On 10/29, Tycho Andersen wrote:
> >
> > +static long seccomp_notify_recv(struct seccomp_filter *filter,
> > + void __user *buf)
> > +{
> > + struct seccomp_knotif *knotif = NULL, *cur;
> > + struct seccomp_notif unotif;
> > + ssize_t ret;
> > +
> > + memset(&unotif, 0, sizeof(unotif));
> > +
> > + ret = down_interruptible(&filter->notif->request);
> > + if (ret < 0)
> > + return ret;
> > +
> > + mutex_lock(&filter->notify_lock);
> > + list_for_each_entry(cur, &filter->notif->notifications, list) {
> > + if (cur->state == SECCOMP_NOTIFY_INIT) {
> > + knotif = cur;
> > + break;
> > + }
> > + }
> > +
> > + /*
> > + * If we didn't find a notification, it could be that the task was
> > + * interrupted by a fatal signal between the time we were woken and
> > + * when we were able to acquire the rw lock.
> > + *
> > + * This is the place where we handle the extra high semaphore count
> > + * mentioned in seccomp_do_user_notification().
> > + */
> > + if (!knotif) {
> > + ret = -ENOENT;
> > + goto out;
> > + }
> > +
> > + unotif.id = knotif->id;
> > + unotif.pid = task_pid_vnr(knotif->task);
> > + if (knotif->signaled)
> > + unotif.flags |= SECCOMP_NOTIF_FLAG_SIGNALED;
> > + unotif.data = *(knotif->data);
>
> Tycho, I forgot everything about seccomp, most probably I am wrong but let me
> ask anyway.
>
> __seccomp_filter(SECCOMP_RET_TRACE) does
>
> /*
> * Recheck the syscall, since it may have changed. This
> * intentionally uses a NULL struct seccomp_data to force
> * a reload of all registers. This does not goto skip since
> * a skip would have already been reported.
> */
> if (__seccomp_filter(this_syscall, NULL, true))
> return -1;
>
> and the next seccomp_run_filters() can return SECCOMP_RET_USER_NOTIF, right?
> seccomp_do_user_notification() doesn't check recheck_after_trace and it simply
> does n.data = sd.
>
> Doesn't this mean that "unotif.data = *(knotif->data)" can hit NULL ?
>
> seccomp_run_filters() does populate_seccomp_data() in this case, but this
> won't affect "seccomp_data *sd" passed to seccomp_do_user_notification().
Oof, yes, you're right. Seems like there are no other users of sd in
__seccomp_filter(). Seems to me like we can just do the
populate_seccomp_data() one level higher in __seccomp_filter()?
Tycho
>From 9e0f75ea51a2c328567910df3122a236ebeccab0 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@tycho.ws>
Date: Tue, 30 Oct 2018 09:51:14 -0600
Subject: [PATCH] seccomp: hoist struct seccomp_data recalculation higher
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---
kernel/seccomp.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 4c5fb6ced4cd..1525cb753ad2 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -257,7 +257,6 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
static u32 seccomp_run_filters(const struct seccomp_data *sd,
struct seccomp_filter **match)
{
- struct seccomp_data sd_local;
u32 ret = SECCOMP_RET_ALLOW;
/* Make sure cross-thread synced filter points somewhere sane. */
struct seccomp_filter *f =
@@ -267,11 +266,6 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
if (unlikely(WARN_ON(f == NULL)))
return SECCOMP_RET_KILL_PROCESS;
- if (!sd) {
- populate_seccomp_data(&sd_local);
- sd = &sd_local;
- }
-
/*
* All filters in the list are evaluated and the lowest BPF return
* value always takes priority (ignoring the DATA).
@@ -821,6 +815,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
u32 filter_ret, action;
struct seccomp_filter *match = NULL;
int data;
+ struct seccomp_data sd_local;
/*
* Make sure that any changes to mode from another thread have
@@ -828,6 +823,11 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
*/
rmb();
+ if (!sd) {
+ populate_seccomp_data(&sd_local);
+ sd = &sd_local;
+ }
+
filter_ret = seccomp_run_filters(sd, &match);
data = filter_ret & SECCOMP_RET_DATA;
action = filter_ret & SECCOMP_RET_ACTION_FULL;
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Tycho Andersen <tycho@tycho.ws>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian@brauner.io>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
Aleksa Sarai <asarai@suse.de>,
linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org, linux-api@vger.kernel.org
Subject: Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace
Date: Tue, 30 Oct 2018 09:54:03 -0600 [thread overview]
Message-ID: <20181030155403.GC7343@cisco> (raw)
In-Reply-To: <20181030150254.GB3385@redhat.com>
On Tue, Oct 30, 2018 at 04:02:54PM +0100, Oleg Nesterov wrote:
> On 10/29, Tycho Andersen wrote:
> >
> > +static long seccomp_notify_recv(struct seccomp_filter *filter,
> > + void __user *buf)
> > +{
> > + struct seccomp_knotif *knotif = NULL, *cur;
> > + struct seccomp_notif unotif;
> > + ssize_t ret;
> > +
> > + memset(&unotif, 0, sizeof(unotif));
> > +
> > + ret = down_interruptible(&filter->notif->request);
> > + if (ret < 0)
> > + return ret;
> > +
> > + mutex_lock(&filter->notify_lock);
> > + list_for_each_entry(cur, &filter->notif->notifications, list) {
> > + if (cur->state == SECCOMP_NOTIFY_INIT) {
> > + knotif = cur;
> > + break;
> > + }
> > + }
> > +
> > + /*
> > + * If we didn't find a notification, it could be that the task was
> > + * interrupted by a fatal signal between the time we were woken and
> > + * when we were able to acquire the rw lock.
> > + *
> > + * This is the place where we handle the extra high semaphore count
> > + * mentioned in seccomp_do_user_notification().
> > + */
> > + if (!knotif) {
> > + ret = -ENOENT;
> > + goto out;
> > + }
> > +
> > + unotif.id = knotif->id;
> > + unotif.pid = task_pid_vnr(knotif->task);
> > + if (knotif->signaled)
> > + unotif.flags |= SECCOMP_NOTIF_FLAG_SIGNALED;
> > + unotif.data = *(knotif->data);
>
> Tycho, I forgot everything about seccomp, most probably I am wrong but let me
> ask anyway.
>
> __seccomp_filter(SECCOMP_RET_TRACE) does
>
> /*
> * Recheck the syscall, since it may have changed. This
> * intentionally uses a NULL struct seccomp_data to force
> * a reload of all registers. This does not goto skip since
> * a skip would have already been reported.
> */
> if (__seccomp_filter(this_syscall, NULL, true))
> return -1;
>
> and the next seccomp_run_filters() can return SECCOMP_RET_USER_NOTIF, right?
> seccomp_do_user_notification() doesn't check recheck_after_trace and it simply
> does n.data = sd.
>
> Doesn't this mean that "unotif.data = *(knotif->data)" can hit NULL ?
>
> seccomp_run_filters() does populate_seccomp_data() in this case, but this
> won't affect "seccomp_data *sd" passed to seccomp_do_user_notification().
Oof, yes, you're right. Seems like there are no other users of sd in
__seccomp_filter(). Seems to me like we can just do the
populate_seccomp_data() one level higher in __seccomp_filter()?
Tycho
From 9e0f75ea51a2c328567910df3122a236ebeccab0 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@tycho.ws>
Date: Tue, 30 Oct 2018 09:51:14 -0600
Subject: [PATCH] seccomp: hoist struct seccomp_data recalculation higher
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---
kernel/seccomp.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 4c5fb6ced4cd..1525cb753ad2 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -257,7 +257,6 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
static u32 seccomp_run_filters(const struct seccomp_data *sd,
struct seccomp_filter **match)
{
- struct seccomp_data sd_local;
u32 ret = SECCOMP_RET_ALLOW;
/* Make sure cross-thread synced filter points somewhere sane. */
struct seccomp_filter *f =
@@ -267,11 +266,6 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
if (unlikely(WARN_ON(f == NULL)))
return SECCOMP_RET_KILL_PROCESS;
- if (!sd) {
- populate_seccomp_data(&sd_local);
- sd = &sd_local;
- }
-
/*
* All filters in the list are evaluated and the lowest BPF return
* value always takes priority (ignoring the DATA).
@@ -821,6 +815,7 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
u32 filter_ret, action;
struct seccomp_filter *match = NULL;
int data;
+ struct seccomp_data sd_local;
/*
* Make sure that any changes to mode from another thread have
@@ -828,6 +823,11 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
*/
rmb();
+ if (!sd) {
+ populate_seccomp_data(&sd_local);
+ sd = &sd_local;
+ }
+
filter_ret = seccomp_run_filters(sd, &match);
data = filter_ret & SECCOMP_RET_DATA;
action = filter_ret & SECCOMP_RET_ACTION_FULL;
--
2.17.1
next prev parent reply other threads:[~2018-10-30 15:54 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-29 22:40 [PATCH v8 0/2] seccomp trap to userspace Tycho Andersen
2018-10-29 22:40 ` [PATCH v8 1/2] seccomp: add a return code to " Tycho Andersen
2018-10-30 14:32 ` Oleg Nesterov
2018-10-30 15:32 ` Tycho Andersen
2018-11-01 14:48 ` Oleg Nesterov
2018-11-01 20:33 ` Tycho Andersen
2018-11-02 11:29 ` Oleg Nesterov
2018-11-02 13:50 ` Tycho Andersen
2018-10-30 15:02 ` Oleg Nesterov
2018-10-30 15:54 ` Tycho Andersen [this message]
2018-10-30 15:54 ` Tycho Andersen
2018-10-30 16:27 ` Oleg Nesterov
2018-10-30 16:39 ` Oleg Nesterov
2018-10-30 17:21 ` Tycho Andersen
2018-10-30 21:32 ` Kees Cook
2018-10-31 13:04 ` Oleg Nesterov
2018-10-30 21:38 ` Kees Cook
2018-10-30 21:49 ` Kees Cook
2018-10-30 21:54 ` Tycho Andersen
2018-10-30 22:00 ` Kees Cook
2018-10-30 22:32 ` Tycho Andersen
2018-10-30 22:34 ` Kees Cook
2018-10-31 0:29 ` Tycho Andersen
2018-10-31 1:29 ` Kees Cook
2018-11-01 13:40 ` Oleg Nesterov
2018-11-01 19:56 ` Tycho Andersen
2018-11-02 10:02 ` Oleg Nesterov
2018-11-02 13:38 ` Tycho Andersen
2018-11-01 13:56 ` Oleg Nesterov
2018-11-01 19:58 ` Tycho Andersen
2018-11-29 23:08 ` Tycho Andersen
2018-11-30 10:17 ` Oleg Nesterov
2018-10-29 22:40 ` [PATCH v8 2/2] samples: add an example of seccomp user trap Tycho Andersen
2018-10-29 23:31 ` Serge E. Hallyn
2018-10-30 2:05 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181030155403.GC7343@cisco \
--to=tycho@tycho.ws \
--cc=asarai@suse.de \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.