From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jann Horn Subject: Re: [PATCH 1/2] fork: add clone6 Date: Mon, 27 May 2019 21:36:18 +0200 Message-ID: References: <20190526102612.6970-1-christian@brauner.io> <20190527104239.fbnjzfyxa4y4acpf@brauner.io> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Linus Torvalds , Kees Cook , Christian Brauner Cc: Al Viro , Linux List Kernel Mailing , Florian Weimer , Oleg Nesterov , Arnd Bergmann , David Howells , Pavel Emelyanov , Andrew Morton , Adrian Reber , Andrei Vagin , Linux API List-Id: linux-api@vger.kernel.org +Kees On Mon, May 27, 2019 at 9:27 PM Linus Torvalds wrote: > On Mon, May 27, 2019 at 3:42 AM Christian Brauner wrote: > > Hm, still pondering whether having one unsigned int argument passed > > through registers that captures all the flags from the old clone() would > > be a good idea. > > That sounds like a reasonable thing to do. > > Maybe we could continue to call the old flags CLONE_XYZ and continue > to pass them in as "flags" argument, and then we have CLONE_EXT_XYZ > flags for a new 64-bit flag field that comes in through memory in the > new clone_args thing? With the current seccomp model, that would have the unfortunate effect of making it impossible to filter out new clone flags - which would likely mean that people who want to sandbox their code would not use the new clone() because they don't want their sandboxed code to be able to create time namespaces and whatever other new fancy things clone() might support in the future. This is why I convinced Christian to pass flags in registers for the first patch version. The alternative I see would be to somehow extend seccomp to support argument structures that are passed in memory - that would probably require quite a bit of new plumbing though, both in the kernel and in userspace code that configures seccomp filters.