From: Oleg Nesterov <oleg@redhat.com>
To: Tycho Andersen <tycho@tycho.ws>
Cc: Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian@brauner.io>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
Aleksa Sarai <asarai@suse.de>,
linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org, linux-api@vger.kernel.org
Subject: Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace
Date: Thu, 1 Nov 2018 15:48:05 +0100 [thread overview]
Message-ID: <20181101144804.GD23232@redhat.com> (raw)
In-Reply-To: <20181030153231.GB7343@cisco>
On 10/30, Tycho Andersen wrote:
>
> > I am not sure I understand the value of signaled/SECCOMP_NOTIF_FLAG_SIGNALED...
> > I mean, why it is actually useful?
> >
> > Sorry if this was already discussed.
>
> :) no problem, many people have complained about this. This is an
> implementation of Andy's suggestion here:
> https://lkml.org/lkml/2018/3/15/1122
>
> You can see some more detailed discussion here:
> https://lkml.org/lkml/2018/9/21/138
Cough, sorry, I simply can't understand what are you talking about ;)
It seems that I need to read all the previous emails... So let me ask
a stupid question below.
> > But my main concern is that either way wait_for_completion_killable() allows
> > to trivially create a process which doesn't react to SIGSTOP, not good...
> >
> > Note also that this can happen if, say, both the tracer and tracee run in the
> > same process group and SIGSTOP is sent to their pgid, if the tracer gets the
> > signal first the tracee won't stop.
> >
> > Of freezer. try_to_freeze_tasks() can fail if it freezes the tracer before
> > it does SECCOMP_IOCTL_NOTIF_SEND.
>
> I think in general the way this is intended to be used these things
> wouldn't happen.
Why?
> was malicious and had the ability to create a user namespace to
> exhaust pids this way,
Not sure I understand how this connects to my question... nevermind.
> so perhaps we should drop this part of the
> patch. I have no real need for it, but perhaps Andy can elaborate?
Yes I think it would be nice to avoid wait_for_completion_killable().
So please help me to understand the problem. Once again, why can not
seccomp_do_user_notification() use wait_for_completion_interruptible() only?
This is called before the task actually starts the syscall, so
-ERESTARTNOINTR if signal_pending() can't hurt.
Now lets suppose seccomp_do_user_notification() simply does
err = wait_for_completion_interruptible(&n.ready);
if (err < 0 && state != SECCOMP_NOTIFY_REPLIED) {
syscall_set_return_value(ERESTARTNOINTR);
list_del(&n.list);
return -1;
}
(I am ignoring the locking/etc). Now the obvious problem is that the listener
doing SECCOMP_IOCTL_NOTIF_SEND can't distinguish -ENOENT from the case when the
tracee was killed, yes?
Is it that important?
Any other problem?
Oleg.
next prev parent reply other threads:[~2018-11-01 14:48 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-29 22:40 [PATCH v8 0/2] seccomp trap to userspace Tycho Andersen
2018-10-29 22:40 ` [PATCH v8 1/2] seccomp: add a return code to " Tycho Andersen
2018-10-30 14:32 ` Oleg Nesterov
2018-10-30 15:32 ` Tycho Andersen
2018-11-01 14:48 ` Oleg Nesterov [this message]
2018-11-01 20:33 ` Tycho Andersen
2018-11-02 11:29 ` Oleg Nesterov
2018-11-02 13:50 ` Tycho Andersen
2018-10-30 15:02 ` Oleg Nesterov
2018-10-30 15:54 ` Tycho Andersen
2018-10-30 15:54 ` Tycho Andersen
2018-10-30 16:27 ` Oleg Nesterov
2018-10-30 16:39 ` Oleg Nesterov
2018-10-30 17:21 ` Tycho Andersen
2018-10-30 21:32 ` Kees Cook
2018-10-31 13:04 ` Oleg Nesterov
2018-10-30 21:38 ` Kees Cook
2018-10-30 21:49 ` Kees Cook
2018-10-30 21:54 ` Tycho Andersen
2018-10-30 22:00 ` Kees Cook
2018-10-30 22:32 ` Tycho Andersen
2018-10-30 22:34 ` Kees Cook
2018-10-31 0:29 ` Tycho Andersen
2018-10-31 1:29 ` Kees Cook
2018-11-01 13:40 ` Oleg Nesterov
2018-11-01 19:56 ` Tycho Andersen
2018-11-02 10:02 ` Oleg Nesterov
2018-11-02 13:38 ` Tycho Andersen
2018-11-01 13:56 ` Oleg Nesterov
2018-11-01 19:58 ` Tycho Andersen
2018-11-29 23:08 ` Tycho Andersen
2018-11-30 10:17 ` Oleg Nesterov
2018-10-29 22:40 ` [PATCH v8 2/2] samples: add an example of seccomp user trap Tycho Andersen
2018-10-29 23:31 ` Serge E. Hallyn
2018-10-30 2:05 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181101144804.GD23232@redhat.com \
--to=oleg@redhat.com \
--cc=asarai@suse.de \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tycho@tycho.ws \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.