From: Kees Cook <keescook@chromium.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Sargun Dhillon <sargun@sargun.me>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Robert Sesek <rsesek@google.com>,
Chris Palmer <palmer@google.com>, Jann Horn <jannh@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
containers@lists.linux-foundation.org,
Daniel Wagner <daniel.wagner@bmw-carit.de>,
linux-kernel@vger.kernel.org, Matt Denton <mpdenton@google.com>,
John Fastabend <john.r.fastabend@intel.com>,
linux-fsdevel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
cgroups@vger.kernel.org, Tejun Heo <tj@kernel.org>,
stable@vger.kernel.org, "David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes
Date: Tue, 9 Jun 2020 13:55:42 -0700 [thread overview]
Message-ID: <202006091346.66B79E07@keescook> (raw)
In-Reply-To: <20200609200346.3fthqgfyw3bxat6l@wittgenstein>
On Tue, Jun 09, 2020 at 10:03:46PM +0200, Christian Brauner wrote:
> I'm looking at __scm_install_fd() and I wonder what specifically you
> mean by that? The put_user() seems to be placed such that the install
> occurrs only if it succeeded. Sure, it only handles a single fd but
> whatever. Userspace knows that already. Just look at systemd when a msg
> fails:
>
> void cmsg_close_all(struct msghdr *mh) {
> struct cmsghdr *cmsg;
>
> assert(mh);
>
> CMSG_FOREACH(cmsg, mh)
> if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
> close_many((int*) CMSG_DATA(cmsg), (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int));
> }
>
> The only reasonable scenario for this whole mess I can think of is sm like (pseudo code):
>
> fd_install_received(int fd, struct file *file)
> {
> sock = sock_from_file(fd, &err);
> if (sock) {
> sock_update_netprioidx(&sock->sk->sk_cgrp_data);
> sock_update_classid(&sock->sk->sk_cgrp_data);
> }
>
> fd_install();
> }
>
> error = 0;
> fdarray = malloc(fdmax);
> for (i = 0; i < fdmax; i++) {
> fdarray[i] = get_unused_fd_flags(o_flags);
> if (fdarray[i] < 0) {
> error = -EBADF;
> break;
> }
>
> error = security_file_receive(file);
> if (error)
> break;
>
> error = put_user(fd_array[i], ufd);
> if (error)
> break;
> }
>
> for (i = 0; i < fdmax; i++) {
> if (error) {
> /* ignore errors */
> put_user(-EBADF, ufd); /* If this put_user() fails and the first one succeeded userspace might now close an fd it didn't intend to. */
> put_unused_fd(fdarray[i]);
> } else {
> fd_install_received(fdarray[i], file);
> }
> }
I see 4 cases of the same code pattern (get_unused_fd_flags(),
sock_update_*(), fd_install()), one of them has this difficult put_user()
in the middle, and one of them has a potential replace_fd() instead of
the get_used/fd_install. So, to me, it makes sense to have a helper that
encapsulates the common work that each of those call sites has to do,
which I keep cringing at all these suggestions that leave portions of it
outside the helper.
If it's too ugly to keep the put_user() in the helper, then we can try
what was suggested earlier, and just totally rework the failure path for
SCM_RIGHTS.
LOL. And while we were debating this, hch just went and cleaned stuff
up:
2618d530dd8b ("net/scm: cleanup scm_detach_fds")
So, um, yeah, now my proposal is actually even closer to what we already
have there. We just add the replace_fd() logic to __scm_install_fd() and
we're done with it.
--
Kees Cook
next prev parent reply other threads:[~2020-06-09 20:55 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 1:10 [PATCH v3 0/4] Add seccomp notifier ioctl that enables adding fds Sargun Dhillon
[not found] ` <20200603011044.7972-1-sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org>
2020-06-03 1:10 ` [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes Sargun Dhillon
2020-06-03 1:10 ` Sargun Dhillon
[not found] ` <20200603011044.7972-2-sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org>
2020-06-04 1:24 ` Christian Brauner
2020-06-04 1:24 ` Christian Brauner
2020-06-04 2:22 ` Kees Cook
2020-06-04 5:20 ` Sargun Dhillon
2020-06-04 12:52 ` Christian Brauner
2020-06-04 13:28 ` David Laight
2020-06-04 13:28 ` David Laight
2020-06-05 7:54 ` Sargun Dhillon
2020-06-09 19:43 ` Kees Cook
2020-06-09 20:03 ` Christian Brauner
2020-06-09 20:03 ` Christian Brauner
2020-06-09 20:55 ` Kees Cook [this message]
2020-06-09 21:27 ` Christian Brauner
[not found] ` <037A305F-B3F8-4CFA-B9F8-CD4C9EF9090B-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
2020-06-10 5:27 ` Kees Cook
2020-06-10 5:27 ` Kees Cook
2020-06-10 8:12 ` Sargun Dhillon
2020-06-10 8:48 ` David Laight
2020-06-10 8:48 ` David Laight
[not found] ` <40d76a9a4525414a8c9809cd29a7ba8e-1XygrNkDbNvwg4NCKwmqgw@public.gmane.org>
2020-06-11 3:02 ` Kees Cook
2020-06-11 3:02 ` Kees Cook
2020-06-11 7:51 ` David Laight
2020-06-11 7:51 ` David Laight
[not found] ` <20200610081237.GA23425-du9IEJ8oIxHXYT48pCVpJ3c7ZZ+wIVaZYkHkVr5ML8kVGlcevz2xqA@public.gmane.org>
2020-06-10 17:10 ` Kees Cook
2020-06-10 17:10 ` Kees Cook
2020-06-11 2:59 ` Kees Cook
2020-06-11 2:59 ` Kees Cook
2020-06-11 4:41 ` Sargun Dhillon
2020-06-11 4:41 ` Sargun Dhillon
2020-06-11 9:19 ` Christian Brauner
2020-06-11 10:39 ` Sargun Dhillon
2020-06-11 23:23 ` Kees Cook
2020-06-11 10:01 ` Christian Brauner
2020-06-11 10:01 ` Christian Brauner
2020-06-11 11:06 ` Sargun Dhillon
[not found] ` <20200611110630.GB30103-du9IEJ8oIxHXYT48pCVpJ3c7ZZ+wIVaZYkHkVr5ML8kVGlcevz2xqA@public.gmane.org>
2020-06-11 14:42 ` Christian Brauner
2020-06-11 14:42 ` Christian Brauner
2020-06-11 14:56 ` David Laight
2020-06-11 23:49 ` Kees Cook
2020-06-11 23:49 ` Kees Cook
2020-06-12 6:58 ` Kees Cook
2020-06-12 6:58 ` Kees Cook
2020-06-12 8:36 ` David Laight
2020-06-12 8:36 ` David Laight
[not found] ` <94407449bedd4ba58d85446401ff0a42-1XygrNkDbNvwg4NCKwmqgw@public.gmane.org>
2020-06-12 10:46 ` Sargun Dhillon
2020-06-12 10:46 ` Sargun Dhillon
[not found] ` <20200612104629.GA15814-du9IEJ8oIxHXYT48pCVpJ3c7ZZ+wIVaZYkHkVr5ML8kVGlcevz2xqA@public.gmane.org>
2020-06-12 15:13 ` Kees Cook
2020-06-12 15:13 ` Kees Cook
2020-06-12 15:55 ` David Laight
2020-06-12 18:28 ` Christian Brauner
2020-06-12 18:38 ` Kees Cook
2020-06-12 18:42 ` Christian Brauner
2020-06-15 8:27 ` David Laight
2020-06-10 9:30 ` Christian Brauner
2020-06-10 9:30 ` Christian Brauner
2020-06-04 3:39 ` Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 2/4] pid: Use file_receive helper to copy FDs Sargun Dhillon
2020-06-03 1:10 ` Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 3/4] seccomp: Introduce addfd ioctl to seccomp user notifier Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 4/4] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Sargun Dhillon
2020-06-03 21:25 ` [PATCH v3 0/4] Add seccomp notifier ioctl that enables adding fds Robert Sesek
2020-06-03 23:42 ` Kees Cook
2020-06-03 23:56 ` Sargun Dhillon
2020-06-04 2:44 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006091346.66B79E07@keescook \
--to=keescook@chromium.org \
--cc=cgroups@vger.kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=daniel.wagner@bmw-carit.de \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=jannh@google.com \
--cc=john.r.fastabend@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpdenton@google.com \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.