From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D5D8C63777 for ; Mon, 30 Nov 2020 23:20:27 +0000 (UTC) Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4AAA320725 for ; Mon, 30 Nov 2020 23:20:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4AAA320725 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=tycho.pizza Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=containers-bounces@lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id AD4D586054; Mon, 30 Nov 2020 23:20:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkJsciGHahMf; Mon, 30 Nov 2020 23:20:24 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id EBED885ECE; Mon, 30 Nov 2020 23:20:24 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id C7E12C0859; Mon, 30 Nov 2020 23:20:24 +0000 (UTC) Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2DC4BC0052 for ; Mon, 30 Nov 2020 23:20:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 255E286054 for ; Mon, 30 Nov 2020 23:20:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTThi8kf05NV for ; Mon, 30 Nov 2020 23:20:22 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 0E79485ECE for ; Mon, 30 Nov 2020 23:20:22 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 1CC6DF95; Mon, 30 Nov 2020 18:20:20 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 30 Nov 2020 18:20:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=fm1; bh=t I8EZNYEsPiAMN7olMmJqVe6Mov/ZWJK2u1sPV7MO3s=; b=I79aUnFyRSijB9zcs hfErE6rmiscraJAFwpXoNxR26yWSgp0b9wwiR2whBFdJCuISZHZ51PLTksszBN2/ rttkjkfXb/A3LloNx8iipJl9jyh8tyyeHuksgyNWjdHr/mbfPIJ2yksu+kyqxzg8 N9Kch2dIcIFs+VVVvHGfdyv+EGE7vbpJCTO27qtb8lAuafUtFGi4+DPaPEnhSStF X2JX2qdjr+t1l77ziFyUpAes02wW9pJtJlPMJYM3+SW30J5ux+DMp+9iI2+/Ymrg Wf02EsMFWxu1eQ1q36RUbHS0EiGLHNnEfrx16zPEJdeMcNi+ztuvJ1bX1g3kasjb D+RoQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=tI8EZNYEsPiAMN7olMmJqVe6Mov/ZWJK2u1sPV7MO 3s=; b=bzU/wkOZ+VTxpzQa9rPEvell/HekomVRr3S1l/PtVLsDmol4zEAe90V1l mTlhjrKv6wQsmw5Ud2u0L3A1XT8yv1bQwrRWsjap3yMWORSPdIwGUz2TDBMga0O0 kx2Y50Pi8eqCGVUzvrD3EMVBeo3pBy6C8zfq7gr/svwLOufMqCVe3J1Ko4bcuw3l 39Kmnn07/TINCT2KQAAyXOU0osADDSApIrGm1CIeeRZ8i3Xxr+hc+wc/foOlNln6 gzL+MEdy3noxqlwCiAlHYXsQYbnfaZzsc3/7ELRm8LCnSwQKfrWdpoSPt2jeWykH caO1ZZh6/c2Phc6jqpfC0mFK0YyFA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeiuddgtdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtugfgjgesthekredttddtjeenucfhrhhomhepvfihtghh ohcutehnuggvrhhsvghnuceothihtghhohesthihtghhohdrphhiiiiirgeqnecuggftrf grthhtvghrnhepgeefheetvdefleduteefheehkeeuudehfeettdeghfekudefkedtueel heejiefgnecuffhomhgrihhnpehgohhlrghnghdrohhrghdpghhithhhuhgsrdgtohhmne cukfhppeduvdekrddutdejrddvgedurddukeegnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepthihtghhohesthihtghhohdrphhiiiiirg X-ME-Proxy: Received: from cisco (unknown [128.107.241.184]) by mail.messagingengine.com (Postfix) with ESMTPA id BADF93064AA6; Mon, 30 Nov 2020 18:20:16 -0500 (EST) Date: Mon, 30 Nov 2020 18:20:09 -0500 From: Tycho Andersen To: Alban Crequy Subject: Re: SECCOMP_IOCTL_NOTIF_ADDFD race condition Message-ID: <20201130232009.GC38675@cisco> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Cc: Giuseppe Scrivano , Kees Cook , Linux Containers , LKML X-BeenThere: containers@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux Containers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" SGksCgpPbiBUaHUsIE5vdiAyNiwgMjAyMCBhdCAwMjowOTozM1BNICswMTAwLCBBbGJhbiBDcmVx dXkgd3JvdGU6Cj4gSGksCj4gCj4gV2l0aCB0aGUgYWRkZmQgZmVhdHVyZSAoYWRkZWQgaW4g4oCc c2VjY29tcDogSW50cm9kdWNlIGFkZGZkIGlvY3RsIHRvCj4gc2VjY29tcCB1c2VyIG5vdGlmaWVy 4oCdLCBjb21taXQgN2NmOTdiMTI1NDU1KSwgdGhlIG5ldyBmaWxlIGlzCj4gaW5zdGFsbGVkIGlu IHRoZSB0YXJnZXQgcHJvY2VzcyBkdXJpbmcgdGhlIFNFQ0NPTVBfSU9DVExfTk9USUZfQURERkQK PiBvcGVyYXRpb24gYW5kIG5vdCBhdCB0aGUgZW5kIHdpdGggdGhlIFNFQ0NPTVBfSU9DVExfTk9U SUZfU0VORAo+IG9wZXJhdGlvbi4gVGhpcyBjYW4gY2F1c2UgcmFjZSBjb25kaXRpb25zIHdoZW4g dGhlIHRhcmdldCBwcm9jZXNzIGlzCj4gaW50ZXJydXB0ZWQgYnkgYSBzaWduYWwgKEVJTlRSKSBh bmQgcmVzdGFydGVkIGF1dG9tYXRpY2FsbHkuCj4gCj4gVGhpcyBpcyBtb3JlIG5vdGljZWFibGUg aW4gbXVsdGl0aHJlYWRlZCBwcm9jZXNzZXMgbGlrZSB3aXRoIEdvbGFuZy4KPiBJbiBHb2xhbmcg MS4xNDoKPiBodHRwczovL2dvbGFuZy5vcmcvZG9jL2dvMS4xNAo+ID4gIkEgY29uc2VxdWVuY2Ug b2YgdGhlIGltcGxlbWVudGF0aW9uIG9mIHByZWVtcHRpb24gaXMgdGhhdCBvbiBVbml4IHN5c3Rl bXMsIGluY2x1ZGluZyBMaW51eCBhbmQgbWFjT1Mgc3lzdGVtcywgcHJvZ3JhbXMgYnVpbHQgd2l0 aCBHbyAxLjE0IHdpbGwgcmVjZWl2ZSBtb3JlIHNpZ25hbHMgdGhhbiBwcm9ncmFtcyBidWlsdCB3 aXRoIGVhcmxpZXIgcmVsZWFzZXMuIFRoaXMgbWVhbnMgdGhhdCBwcm9ncmFtcyB0aGF0IHVzZSBw YWNrYWdlcyBsaWtlIHN5c2NhbGwgb3IgZ29sYW5nLm9yZy94L3N5cy91bml4IHdpbGwgc2VlIG1v cmUgc2xvdyBzeXN0ZW0gY2FsbHMgZmFpbCB3aXRoIEVJTlRSIGVycm9ycy4gVGhvc2UgcHJvZ3Jh bXMgd2lsbCBoYXZlIHRvIGhhbmRsZSB0aG9zZSBlcnJvcnMgaW4gc29tZSB3YXksIG1vc3QgbGlr ZWx5IGxvb3BpbmcgdG8gdHJ5IHRoZSBzeXN0ZW0gY2FsbCBhZ2Fpbi4iCj4gCj4gSW4gbXkgdGVz dCwgSSBhZGRlZCBhIHNlY2NvbXAgcG9saWN5IHdoaWNoIHJldHVybnMKPiBTRUNDT01QX1JFVF9V U0VSX05PVElGIG9uIGV4ZWN2ZSgpIGFuZCBJIGFkZGVkIGEgc2xlZXAoMikgaW4gdGhlCj4gc2Vj Y29tcCBhZ2VudCAodXNpbmcgaHR0cHM6Ly9naXRodWIuY29tL2tpbnZvbGsvc2VjY29tcGFnZW50 LykgYmV0d2Vlbgo+IFNFQ0NPTVBfSU9DVExfTk9USUZfUkVDViBhbmQgU0VDQ09NUF9JT0NUTF9O T1RJRl9TRU5EIHRvIG1ha2UgaXQgYSBiaXQKPiBzbG93IHRvIHJlcGx5IHdpdGggU0VDQ09NUF9V U0VSX05PVElGX0ZMQUdfQ09OVElOVUUuIEkgZ290IHRoZQo+IGZvbGxvd2luZyBzdHJhY2UgbG9n IGdvaW5nIG9uIGluIGEgbG9vcDoKPiAKPiBbcGlkIDI2NTYxOTldIGV4ZWN2ZSgiL2Jpbi9zaCIs IFsic2giLCAiLWMiLCAic2xlZXAgaW5maW5pdHkiXSwKPiAweGMwMDAwNjNiMDAgLyogMTEgdmFy cyAqLyA8dW5maW5pc2hlZCAuLi4+Cj4gW3BpZCAyNjU2MjAwXSA8Li4uIG5hbm9zbGVlcCByZXN1 bWVkPk5VTEwpID0gMAo+IFtwaWQgMjY1NjIwMF0gZXBvbGxfcHdhaXQoNywgW10sIDEyOCwgMCwg TlVMTCwgMCkgPSAwCj4gW3BpZCAyNjU2MjAwXSBnZXRwaWQoKSAgICAgICAgICAgICAgICAgID0g MQo+IFtwaWQgMjY1NjIwMF0gdGdraWxsKDEsIDEsIFNJR1VSRykgICAgICA9IDAKPiBbcGlkIDI2 NTYxOTldIDwuLi4gZXhlY3ZlIHJlc3VtZWQ+KSAgICAgPSA/IEVSRVNUQVJUU1lTIChUbyBiZQo+ IHJlc3RhcnRlZCBpZiBTQV9SRVNUQVJUIGlzIHNldCkKPiBbcGlkIDI2NTYyMDBdIG5hbm9zbGVl cCh7dHZfc2VjPTAsIHR2X25zZWM9MTAwMDAwMDB9LCAgPHVuZmluaXNoZWQgLi4uPgo+IFtwaWQg MjY1NjE5OV0gLS0tIFNJR1VSRyB7c2lfc2lnbm89U0lHVVJHLCBzaV9jb2RlPVNJX1RLSUxMLCBz aV9waWQ9MSwKPiBzaV91aWQ9MH0gLS0tCj4gW3BpZCAyNjU2MTk5XSBydF9zaWdyZXR1cm4oe21h c2s9W119KSAgID0gNTkKPiBbcGlkIDI2NTYxOTldIGV4ZWN2ZSgiL2Jpbi9zaCIsIFsic2giLCAi LWMiLCAic2xlZXAgaW5maW5pdHkiXSwKPiAweGMwMDAwNjNiMDAgLyogMTEgdmFycyAqLyA8dW5m aW5pc2hlZCAuLi4+Cj4gCj4gT24gdGhlIHNlY2NvbXAgYWdlbnQgc2lkZSwgdGhlIGlvY3RsKFNF Q0NPTVBfSU9DVExfTk9USUZfU0VORCkgcmV0dXJucwo+IEVOT0VOVCwgYW5kIHRoZW4gaXQgcmVj ZWl2ZXMgdGhlIHNhbWUgbm90aWZpY2F0aW9uIGF0IHRoZSBuZXh0Cj4gaXRlcmF0aW9uIG9mIHRo ZSBsb29wLgo+IAo+IFRoZSBTSUdVUkcgc2lnbmFsIGlzIHNlbnQgYnkgdGhlIEdvbGFuZyBydW50 aW1lLCBjYXVzaW5nIHRoZSBleGVjdmUgdG8KPiBiZSBpbnRlcnJ1cHRlZCwgYW5kIHJlc3RhcnRl ZCBhdXRvbWF0aWNhbGx5LCB0cmlnZ2VyaW5nIHRoZSBuZXcKPiBzZWNjb21wIG5vdGlmaWNhdGlv bi4gSW4gdGhpcyBleGFtcGxlIHdpdGggZXhlY3ZlLCB0aGlzIGlzIG5vdCBhIGJpZwo+IGRlYWwg YmVjYXVzZSB0aGUgc2VjY29tcCBhZ2VudCBkb2Vzbid0IGFkZCBhIGZkLiBCdXQgb24gYSBvcGVu KCkgb3IKPiBhY2NlcHQoKSBzeXNjYWxsLCBJIGZlYXIgdGhhdCB0aGUgc2VjY29tcCBhZ2VudCBj b3VsZCBpbnN0YWxsIGEgZmlsZQo+IGRlc2NyaXB0b3Igd2l0aG91dCBrbm93aW5nIHRoYXQgdGhl IHN5c2NhbGwgd2lsbCBiZSBpbnRlcnJ1cHRlZCBzb29uCj4gYWZ0ZXIsIGJ1dCBiZWZvcmUgdGhl IFNFQ0NPTVBfSU9DVExfTk9USUZfU0VORCBpcyBjb21wbGV0ZWQuCj4gCj4gSSB1bmRlcnN0YW5k IHRoZSBuZWVkIHRvIGhhdmUgdHdvIGRpZmZlcmVudCBpb2N0bCgpIHRvIGFkZCB0aGUgZmQgYW5k Cj4gdG8gcmVwbHkgdG8gdGhlIHNlY2NvbXAgbm90aWZpY2F0aW9uIGJlY2F1c2UgdGhlIHNlY2Nv bXAgYWdlbnQgbmVlZHMKPiB0byBrbm93IHRoZSBmZCBudW1iZXIgYmVpbmcgYXNzaWduZWQgYmVm b3JlIHNwZWNpZnlpbmcgdGhlIHJldHVybgo+IHZhbHVlIG9mIHRoZSBzeXNjYWxsIHdpdGggdGhh dCBudW1iZXIuCj4gCj4gV2hhdCBkbyB5b3UgdGhpbmsgaXMgdGhlIGJlc3Qgd2F5IHRvIHNvbHZl IHRoaXMgcHJvYmxlbT8gSGVyZSBhcmUgYSBmZXcgaWRlYXM6Cj4gCj4gLSBJZGVhIDE6IGFkZCBh IHNlY29uZCBmbGFnIGZvciB0aGUgc3RydWN0IHNlY2NvbXBfbm90aWZfcmVzcAo+IOKAnFNFQ0NP TVBfVVNFUl9OT1RJRl9GTEFHX1JFVFVSTl9GROKAnSB0byBpbnN0cnVjdCBzZWNjb21wIHRvIG92 ZXJyaWRlCj4gdGhlIHJldHVybiB2YWx1ZSB3aXRoIHRoZSBmaXJzdCBmZCB0byBpbnN0YWxsLiBJ dCB3b3VsZCBub3QgaGVscCB0bwo+IGVtdWxhdGUgcmVjdmZyb20oKSB3aXRoIFNDTV9SSUdIVFMg YnV0IGl0IHdpbGwgc29sdmUgdGhlIHByb2JsZW0gZm9yCj4gc3lzY2FsbHMgdGhhdCByZXR1cm4g YSBmZCBiZWNhdXNlIHdlIGNhbiB0aGVuIGltcGxlbWVudCBhIG5ldyBpb2N0bAo+ICjigJxTRUND T01QX0lPQ1RMX05PVElGX1NFTkRfV0lUSF9GRFPigJ0/KSB0aGF0IGRvZXMgdGhlIGFkZGZkIGFu ZCB0aGUKPiBub3RpZmljYXRpb24gcmVzcG9uc2UgaW4gb25lIHN0ZXAuCj4gCj4gT3RoZXIgaWRl YXMgYnV0IHRoZXkgY2F1c2UgbW9yZSBwcm9ibGVtczoKPiAKPiAtIElkZWEgMjogV2UgbmVlZCBz b21lIGtpbmQgb2YgdHJhbnNhY3Rpb25zIHdoZXJlIHRoZSBmZCBpcyBzZW50IHdpdGgKPiB0aGUg Zmlyc3QgaW9jdGwoKSBhbmQgaW5zdGFsbGVkIGluIHRoZSBmZCB0YWJsZSBidXQgbWFya2VkIHNv bWVob3cgdG8KPiBiZSBjbG9zZWQgYXV0b21hdGljYWxseSBpZiB0aGUgc3lzY2FsbCBpcyBpbnRl cnJ1cHRlZCB3aXRoIEVJTlRSCj4gb3V0c2lkZSBvZiB0aGUgY29udHJvbCBvZiB0aGUgc2VjY29t cCBhZ2VudC4gVGhlIG5ldyBmZCBpbiB0aGUgZmQKPiB0YWJsZSB3b3VsZCBiZSBjb21taXR0ZWQg YXQgdGhlIGVuZCBpZiB0aGUgc3lzY2FsbCBpcyBub3QgaW50ZXJydXB0ZWQuCj4gQnV0IHRoaXMg aW50cm9kdWNlcyBvdGhlciBpc3N1ZXM6IGFub3RoZXIgdGhyZWFkIGNvdWxkIGNhbGwgZHVwKCkg b24KPiB0aGUgZmQgYmVmb3JlIGl0IGdldHMgY2xvc2VkLiBPciBhbm90aGVyIHByb2Nlc3Mgc2hh cmluZyB0aGUgZmQgdGFibGUKPiB3aXRoIENMT05FX0ZJTEVTIGNvdWxkIGRvIHRoZSBzYW1lLiBT aG91bGQgdGhlIG5vdC15ZXQtY29tbWl0dGVkIGZkcwo+IGJlIHZpc2libGUgaW4gL3Byb2MvPHBp ZD4vZmQvPyBPciBpbmhlcml0ZWQgdG8gbmV3IHByb2Nlc3NlcyBjcmVhdGVkCj4gYnkgZm9yaygp Pwo+IAo+IC0gSWRlYSAzOiBXZSBjb3VsZCBhZGQgZmRzIGluIGEgdGVtcG9yYXJ5IGxvY2F0aW9u IGJ1dCBub3QgaW4gdGhlCj4gYHN0cnVjdCBmaWxlc19zdHJ1Y3RgIG9mIHRoZSB0YXJnZXQgcHJv Y2VzcywgYW5kIG9ubHkgY29tbWl0IGF0Cj4gU0VDQ09NUF9JT0NUTF9OT1RJRl9TRU5EIHRpbWUu IEluIHRoaXMgd2F5LCB0aHJlYWRzIG9yIHByb2Nlc3Nlcwo+IHNoYXJpbmcgdGhlIGZkIHRhYmxl IHdpdGggQ0xPTkVfRklMRVMgd291bGQgbm90IGJlIGltcGFjdGVkLiBIb3dldmVyLAo+IHRoaXMg Y291bGQgb3BlbiBuZXcgcmFjZSBjb25kaXRpb25zIGlmIG90aGVyIHRocmVhZHMgYXJlIGluc3Rh bGxpbmcKPiBmZHMgaW4gdGhlIHNhbWUgc2xvdHMgaW4gdGhlIGZkIHRhYmxlLiBBbHNvLCB0aGlz IHNlZW1zIHF1aXRlCj4gZGFuZ2Vyb3VzIHRvIGFkZCB0aGlzIGNvbmNlcHQgb2YgImluZmxpZ2h0 IiBmZCBmb3Igc2VjY29tcCBiZWNhdXNlCj4gdGhlcmUgYXJlIGFscmVhZHkgaW5mbGlnaHQgZmRz IGZvciBTQ01fUklHSFQgYW5kIGEgZ2FyYmFnZSBjb2xsZWN0b3IKPiB0byBjbGVhbiBjaXJjdWxh ciByZWZlcmVuY2VzIChuZXQvdW5peC9nYXJiYWdlLmMpLiBJZiB3ZSBhZGQgYW4KPiBpbmZsaWdo dCBmZCBtZWNoYW5pc20gb24gc2VjY29tcCwgYSBtYWxpY2lvdXMgdXNlciBjb3VsZCBqdXN0IHVz ZQo+IFNFQ0NPTVBfSU9DVExfTk9USUZfQURERkQgdG8gc2VuZCBhIHVuaXggc29ja2V0IHRoYXQg aGFzIHRoZQo+IHNlY2NvbXAtZmQgaW5mbGlnaHQgaW4gU0NNX1JJR0hULiBUaGVuLCB0aGUgbWFs aWNpb3VzIHNlY2NvbXAgYWdlbnQKPiB3b3VsZCBjbG9zZShzZWNjb21wRmQpIGFuZCB3ZSB3aWxs IGJlIGluIGEgc2l0dWF0aW9uIHdoZXJlIGJvdGggdGhlCj4gc2VjY29tcC1mZCBhbmQgdGhlIHVu aXggc29ja2V0IGFyZSBub3QgYXR0YWNoZWQgdG8gYW55IHByb2Nlc3MgYnV0Cj4gdGhleSByZWZl cmVuY2UgZWFjaCBvdGhlciwgc28gdGhleSBjYW5ub3QgYmUgY2xvc2VkLgo+IAo+IFdoYXQgZG8g eW91IHRoaW5rPyBJcyB0aGVyZSBhIGJldHRlciBzb2x1dGlvbj8KCklkZWEgMSBzb3VuZHMgYmVz dCB0byBtZSwgYnV0IG1heWJlIHRoYXQncyBiZWNhdXNlIGl0J3MgdGhlIHdheSBJCm9yaWdpbmFs bHkgZGlkIHRoZSBmZCBzdXBwb3J0IHRoYXQgbmV2ZXIgbGFuZGVkIDopCgpCdXQgaGVyZSdzIGFu IElkZWEgNDogd2UgYWRkIGEgd2F5IHRvIHJlbW90ZWx5IGNsb3NlIGFuIGZkIChJIGRvbid0CnNl ZSB0aGF0IHRoZSBjdXJyZW50IGluZnJhIGNhbiBkbyB0aGlzLCBidXQgcGVyaGFwcyBJIGRpZG4n dCBsb29rIGhhcmQKZW5vdWdoKSwgYW5kIHRoZW4gd2hlbiB5b3UgZ2V0IEVOT0VOVCB5b3UgaGF2 ZSB0byBjbG9zZSB0aGUgZmQuIE9mCmNvdXJzZSwgdGhpcyBjYW4ndCBiZSB2aWEgc2VjY29tcCwg c28gbWF5YmUgaXQncyBldmVuIG1vcmUgcmFjeS4KClR5Y2hvCl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fCkNvbnRhaW5lcnMgbWFpbGluZyBsaXN0CkNvbnRh aW5lcnNAbGlzdHMubGludXgtZm91bmRhdGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5k YXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vY29udGFpbmVycw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64053C63777 for ; Mon, 30 Nov 2020 23:21:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DFFB02076C for ; Mon, 30 Nov 2020 23:21:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729783AbgK3XVi (ORCPT ); Mon, 30 Nov 2020 18:21:38 -0500 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:46715 "EHLO wout4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725980AbgK3XVb (ORCPT ); Mon, 30 Nov 2020 18:21:31 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 1CC6DF95; Mon, 30 Nov 2020 18:20:20 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 30 Nov 2020 18:20:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=fm1; bh=t I8EZNYEsPiAMN7olMmJqVe6Mov/ZWJK2u1sPV7MO3s=; b=I79aUnFyRSijB9zcs hfErE6rmiscraJAFwpXoNxR26yWSgp0b9wwiR2whBFdJCuISZHZ51PLTksszBN2/ rttkjkfXb/A3LloNx8iipJl9jyh8tyyeHuksgyNWjdHr/mbfPIJ2yksu+kyqxzg8 N9Kch2dIcIFs+VVVvHGfdyv+EGE7vbpJCTO27qtb8lAuafUtFGi4+DPaPEnhSStF X2JX2qdjr+t1l77ziFyUpAes02wW9pJtJlPMJYM3+SW30J5ux+DMp+9iI2+/Ymrg Wf02EsMFWxu1eQ1q36RUbHS0EiGLHNnEfrx16zPEJdeMcNi+ztuvJ1bX1g3kasjb D+RoQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=tI8EZNYEsPiAMN7olMmJqVe6Mov/ZWJK2u1sPV7MO 3s=; b=bzU/wkOZ+VTxpzQa9rPEvell/HekomVRr3S1l/PtVLsDmol4zEAe90V1l mTlhjrKv6wQsmw5Ud2u0L3A1XT8yv1bQwrRWsjap3yMWORSPdIwGUz2TDBMga0O0 kx2Y50Pi8eqCGVUzvrD3EMVBeo3pBy6C8zfq7gr/svwLOufMqCVe3J1Ko4bcuw3l 39Kmnn07/TINCT2KQAAyXOU0osADDSApIrGm1CIeeRZ8i3Xxr+hc+wc/foOlNln6 gzL+MEdy3noxqlwCiAlHYXsQYbnfaZzsc3/7ELRm8LCnSwQKfrWdpoSPt2jeWykH caO1ZZh6/c2Phc6jqpfC0mFK0YyFA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeiuddgtdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtugfgjgesthekredttddtjeenucfhrhhomhepvfihtghh ohcutehnuggvrhhsvghnuceothihtghhohesthihtghhohdrphhiiiiirgeqnecuggftrf grthhtvghrnhepgeefheetvdefleduteefheehkeeuudehfeettdeghfekudefkedtueel heejiefgnecuffhomhgrihhnpehgohhlrghnghdrohhrghdpghhithhhuhgsrdgtohhmne cukfhppeduvdekrddutdejrddvgedurddukeegnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepthihtghhohesthihtghhohdrphhiiiiirg X-ME-Proxy: Received: from cisco (unknown [128.107.241.184]) by mail.messagingengine.com (Postfix) with ESMTPA id BADF93064AA6; Mon, 30 Nov 2020 18:20:16 -0500 (EST) Date: Mon, 30 Nov 2020 18:20:09 -0500 From: Tycho Andersen To: Alban Crequy Cc: LKML , Linux Containers , Sargun Dhillon , Kees Cook , Giuseppe Scrivano , Christian Brauner , Rodrigo Campos , Mauricio =?iso-8859-1?Q?V=E1squez?= Bernal Subject: Re: SECCOMP_IOCTL_NOTIF_ADDFD race condition Message-ID: <20201130232009.GC38675@cisco> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Thu, Nov 26, 2020 at 02:09:33PM +0100, Alban Crequy wrote: > Hi, > > With the addfd feature (added in “seccomp: Introduce addfd ioctl to > seccomp user notifier”, commit 7cf97b125455), the new file is > installed in the target process during the SECCOMP_IOCTL_NOTIF_ADDFD > operation and not at the end with the SECCOMP_IOCTL_NOTIF_SEND > operation. This can cause race conditions when the target process is > interrupted by a signal (EINTR) and restarted automatically. > > This is more noticeable in multithreaded processes like with Golang. > In Golang 1.14: > https://golang.org/doc/go1.14 > > "A consequence of the implementation of preemption is that on Unix systems, including Linux and macOS systems, programs built with Go 1.14 will receive more signals than programs built with earlier releases. This means that programs that use packages like syscall or golang.org/x/sys/unix will see more slow system calls fail with EINTR errors. Those programs will have to handle those errors in some way, most likely looping to try the system call again." > > In my test, I added a seccomp policy which returns > SECCOMP_RET_USER_NOTIF on execve() and I added a sleep(2) in the > seccomp agent (using https://github.com/kinvolk/seccompagent/) between > SECCOMP_IOCTL_NOTIF_RECV and SECCOMP_IOCTL_NOTIF_SEND to make it a bit > slow to reply with SECCOMP_USER_NOTIF_FLAG_CONTINUE. I got the > following strace log going on in a loop: > > [pid 2656199] execve("/bin/sh", ["sh", "-c", "sleep infinity"], > 0xc000063b00 /* 11 vars */ > [pid 2656200] <... nanosleep resumed>NULL) = 0 > [pid 2656200] epoll_pwait(7, [], 128, 0, NULL, 0) = 0 > [pid 2656200] getpid() = 1 > [pid 2656200] tgkill(1, 1, SIGURG) = 0 > [pid 2656199] <... execve resumed>) = ? ERESTARTSYS (To be > restarted if SA_RESTART is set) > [pid 2656200] nanosleep({tv_sec=0, tv_nsec=10000000}, > [pid 2656199] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=1, > si_uid=0} --- > [pid 2656199] rt_sigreturn({mask=[]}) = 59 > [pid 2656199] execve("/bin/sh", ["sh", "-c", "sleep infinity"], > 0xc000063b00 /* 11 vars */ > > On the seccomp agent side, the ioctl(SECCOMP_IOCTL_NOTIF_SEND) returns > ENOENT, and then it receives the same notification at the next > iteration of the loop. > > The SIGURG signal is sent by the Golang runtime, causing the execve to > be interrupted, and restarted automatically, triggering the new > seccomp notification. In this example with execve, this is not a big > deal because the seccomp agent doesn't add a fd. But on a open() or > accept() syscall, I fear that the seccomp agent could install a file > descriptor without knowing that the syscall will be interrupted soon > after, but before the SECCOMP_IOCTL_NOTIF_SEND is completed. > > I understand the need to have two different ioctl() to add the fd and > to reply to the seccomp notification because the seccomp agent needs > to know the fd number being assigned before specifying the return > value of the syscall with that number. > > What do you think is the best way to solve this problem? Here are a few ideas: > > - Idea 1: add a second flag for the struct seccomp_notif_resp > “SECCOMP_USER_NOTIF_FLAG_RETURN_FD” to instruct seccomp to override > the return value with the first fd to install. It would not help to > emulate recvfrom() with SCM_RIGHTS but it will solve the problem for > syscalls that return a fd because we can then implement a new ioctl > (“SECCOMP_IOCTL_NOTIF_SEND_WITH_FDS”?) that does the addfd and the > notification response in one step. > > Other ideas but they cause more problems: > > - Idea 2: We need some kind of transactions where the fd is sent with > the first ioctl() and installed in the fd table but marked somehow to > be closed automatically if the syscall is interrupted with EINTR > outside of the control of the seccomp agent. The new fd in the fd > table would be committed at the end if the syscall is not interrupted. > But this introduces other issues: another thread could call dup() on > the fd before it gets closed. Or another process sharing the fd table > with CLONE_FILES could do the same. Should the not-yet-committed fds > be visible in /proc//fd/? Or inherited to new processes created > by fork()? > > - Idea 3: We could add fds in a temporary location but not in the > `struct files_struct` of the target process, and only commit at > SECCOMP_IOCTL_NOTIF_SEND time. In this way, threads or processes > sharing the fd table with CLONE_FILES would not be impacted. However, > this could open new race conditions if other threads are installing > fds in the same slots in the fd table. Also, this seems quite > dangerous to add this concept of "inflight" fd for seccomp because > there are already inflight fds for SCM_RIGHT and a garbage collector > to clean circular references (net/unix/garbage.c). If we add an > inflight fd mechanism on seccomp, a malicious user could just use > SECCOMP_IOCTL_NOTIF_ADDFD to send a unix socket that has the > seccomp-fd inflight in SCM_RIGHT. Then, the malicious seccomp agent > would close(seccompFd) and we will be in a situation where both the > seccomp-fd and the unix socket are not attached to any process but > they reference each other, so they cannot be closed. > > What do you think? Is there a better solution? Idea 1 sounds best to me, but maybe that's because it's the way I originally did the fd support that never landed :) But here's an Idea 4: we add a way to remotely close an fd (I don't see that the current infra can do this, but perhaps I didn't look hard enough), and then when you get ENOENT you have to close the fd. Of course, this can't be via seccomp, so maybe it's even more racy. Tycho