Re: [PATCH v2 1/2] seccomp: notify user trap about unused filter

[Kees Cook <keescook@chromium.org>]

On Thu, May 28, 2020 at 05:14:11PM +0200, Christian Brauner wrote:
>   * @usage: reference count to manage the object lifetime.
>   *         get/put helpers should be used when accessing an instance
>   *         outside of a lifetime-guarded section.  In general, this
>   *         is only needed for handling filters shared across tasks.
> [...]
> + * @live: Number of tasks that use this filter directly and number
> + *	  of dependent filters that have a non-zero @live counter.
> + *	  Altered during fork(), exit(), and filter installation
> [...]
>  	refcount_set(&sfilter->usage, 1);
> +	refcount_set(&sfilter->live, 1);

I'd like these reference counters to have more descriptive names. "usage"
by what? "live" from what perspective? At the least, I think we need
to be explicit in the comment, and at best we should do that and rename
them to be a bit more clear.

A filter's "usage" is incremented for each directly-attached task
(task::seccomp_data.filter, via fork() or thread_sync), once for the
dependent filter (filter::prev), and once for an open user_notif file
(file::private_data). When it reaches zero, there are (should be) no more
active memory references back to the struct filter and it can be freed.

A filter's "live" is incremented for each directly-attached task
(task::seccomp_data.filter, via fork() or thread_sync), and once for
the dependent filter (filter::prev). When it reaches zero there is no
way for new tasks to get associated with the filter, but there may still
be user_notif file::private_data references pointing at the filter.

But we're tracking "validity lifetime" (live) and "memory reference
safety" (usage).

signal_struct has "sigcnt" and "live". I find "sigcnt" to be an
unhelpful name too. (And why isn't it refcount_t?)

So, perhaps leave "live", but rename "usage" -> "references".

After looking at these other lifetime management examples in the kernel,
I'm convinced that tracking these states separately is correct, but I
remain uncomfortable about task management needing to explicitly make
two calls to let go of the filter.

I wonder if release_task() should also detach the filter from the task
and do a put_seccomp_filter() instead of waiting for task_free(). This
is supported by the other place where seccomp_filter_release() is
called:

> @@ -396,6 +400,7 @@ static inline void seccomp_sync_threads(unsigned long flags)
>  		 * allows a put before the assignment.)
>  		*/
>   		put_seccomp_filter(thread);
> +		seccomp_filter_release(thread);

This would also remove the only put_seccomp_filter() call outside of
seccomp.c, since the free_task() call will be removed now in favor of
the task_release() call.

So, is it safe to detach the filter in release_task()? Has dethreading
happened yet? i.e. can we race TSYNC? -- is there a possible
inc-from-zero? (Actually, all our refcount_inc()s should be
refcount_inc_not_zero() just for robustness.) I *think* we can do it
before the release_thread() call (instead of after cgroup_release()).

With that, then seccomp_filter_release() could assign the filter to NULL
and do the clean up:

void seccomp_filter_release(const struct task_struct *tsk)
{
	struct seccomp_filter *orig = READ_ONCE(tsk->seccomp.filter);

	smp_store_release(&tsk->seccomp.filter, NULL);
	__seccomp_filter_release(orig);
}

All other refcounting is then internal to seccomp.c. Which brings me
back to TSYNC, since we don't want to write NULL to task->seccomp.filter
during TSYNC. TSYNC can use:

void __seccomp_filter_release(struct seccomp_filter *filter)
{
	while (filter && refcount_dec_and_test(&filter->live)) {
		if (waitqueue_active(&filter->wqh))
			wake_up_poll(&filter->wqh, EPOLLHUP);
		filter = filter->prev;
	}
	__put_seccomp_filter(filter);
}

Thoughts?

-- 
Kees Cook