From: Tycho Andersen <tycho@kernel.org>
To: Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Cc: kees@kernel.org, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, "Andy Lutomirski" <luto@amacapital.net>,
"Will Drewry" <wad@chromium.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Shuah Khan" <shuah@kernel.org>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Andrei Vagin" <avagin@gmail.com>,
"Christian Brauner" <brauner@kernel.org>,
"Stéphane Graber" <stgraber@stgraber.org>
Subject: Re: [PATCH v2 4/6] seccomp: handle multiple listeners case
Date: Thu, 4 Dec 2025 08:18:16 -0700 [thread overview]
Message-ID: <aTGmOGTNndl3oTk7@tycho.pizza> (raw)
In-Reply-To: <CAEivzxf0a8EDzVJ+j7FLuarKHrCRPUtS9Z+tQ4se9E+xHvE0Fg@mail.gmail.com>
On Wed, Dec 03, 2025 at 04:29:49PM +0100, Aleksandr Mikhalitsyn wrote:
> On Tue, Dec 2, 2025 at 12:52 PM Alexander Mikhalitsyn
> <aleksandr.mikhalitsyn@canonical.com> wrote:
> >
> > If we have more than one listener in the tree and lower listener
> > wants us to continue syscall (SECCOMP_USER_NOTIF_FLAG_CONTINUE)
> > we must consult with upper listeners first, otherwise it is a
> > clear seccomp restrictions bypass scenario.
> >
> > Cc: linux-kernel@vger.kernel.org
> > Cc: bpf@vger.kernel.org
> > Cc: Kees Cook <kees@kernel.org>
> > Cc: Andy Lutomirski <luto@amacapital.net>
> > Cc: Will Drewry <wad@chromium.org>
> > Cc: Jonathan Corbet <corbet@lwn.net>
> > Cc: Shuah Khan <shuah@kernel.org>
> > Cc: Aleksa Sarai <cyphar@cyphar.com>
> > Cc: Tycho Andersen <tycho@tycho.pizza>
> > Cc: Andrei Vagin <avagin@gmail.com>
> > Cc: Christian Brauner <brauner@kernel.org>
> > Cc: Stéphane Graber <stgraber@stgraber.org>
> > Reviewed-by: Tycho Andersen (AMD) <tycho@kernel.org>
> > Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
> > ---
> > kernel/seccomp.c | 33 +++++++++++++++++++++++++++++++--
> > 1 file changed, 31 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index ded3f6a6430b..262390451ff1 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -448,8 +448,21 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
> >
> > if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
> > ret = cur_ret;
> > + /*
> > + * No matter what we had before in matches->filters[],
> > + * we need to overwrite it, because current action is more
> > + * restrictive than any previous one.
> > + */
> > matches->n = 1;
> > matches->filters[0] = f;
> > + } else if ((ACTION_ONLY(cur_ret) == ACTION_ONLY(ret)) &&
> > + ACTION_ONLY(cur_ret) == SECCOMP_RET_USER_NOTIF) {
>
> My bad. We also have to check f->notif in there like that:
For my own education: why is that? Shouldn't
seccomp_do_user_notification() be smart enough to catch this case (and
indeed, there is a TOCTOU if you do it here?)?
Thanks,
Tycho
next prev parent reply other threads:[~2025-12-04 15:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 11:51 [PATCH v2 0/6] seccomp: support nested listeners Alexander Mikhalitsyn
2025-12-02 11:51 ` [PATCH v2 3/6] seccomp: limit number of listeners in seccomp tree Alexander Mikhalitsyn
2025-12-02 11:51 ` [PATCH v2 4/6] seccomp: handle multiple listeners case Alexander Mikhalitsyn
2025-12-03 15:29 ` Aleksandr Mikhalitsyn
2025-12-04 15:18 ` Tycho Andersen [this message]
2025-12-10 23:18 ` Aleksandr Mikhalitsyn
2025-12-02 11:51 ` [PATCH v2 5/6] seccomp: relax has_duplicate_listeners check Alexander Mikhalitsyn
2025-12-02 11:51 ` [PATCH v2 6/6] tools/testing/selftests/seccomp: test nested listeners Alexander Mikhalitsyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTGmOGTNndl3oTk7@tycho.pizza \
--to=tycho@kernel.org \
--cc=aleksandr.mikhalitsyn@canonical.com \
--cc=avagin@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=shuah@kernel.org \
--cc=stgraber@stgraber.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox