From: Tycho Andersen <tycho@tycho.ws>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
"Tobin C . Harding" <me@tobin.cc>
Subject: Re: [PATCH v3 0/4] seccomp trap to userspace
Date: Fri, 8 Jun 2018 15:04:33 -0600 [thread overview]
Message-ID: <20180608210433.GA15707@cisco> (raw)
In-Reply-To: <CAGXu5jKsLDSBjB74SrvCvmGy_RTEjBsMtR5dk1CcRFrHEQfM_g@mail.gmail.com>
Hi Kees,
On Fri, Jun 08, 2018 at 09:29:42AM -0700, Kees Cook wrote:
> On Thu, May 31, 2018 at 7:49 AM, Tycho Andersen <tycho@tycho.ws> wrote:
> > Hi all,
> >
> > Here's a v3 of the seccomp trap to userspace, with all the nits from v2
> > fixed. Open questions from v2 are still:
> >
> > 1. is it ok not to use netlink?
>
> Yeah, I think there isn't a sensible way to reuse that API, which is
> too bad. Let's just try to keep this interface future-proofed. :)
Yes, I think it is, assuming that we always use a zero value as the
"do the same thing as before" value. Perhaps I should write that
assumption down somewhere...
> > 2. what should the fd passing API look like? (see patch notes on this
> > one for details of why the current one might (?) be a problem)
>
> The only thing in my mind is avoiding the problems with other fd
> passing API (e.g. when do rlimits get checked, etc).
My read of get_unused_fd_flags() is that it does check RLIMIT_NOFILE,
so I think we're ok there.
My biggest concern was just about the case where we want to do
something besides return an fd from a syscall (e.g. install an fd, but
return it via some pointer or something), but I'm not aware of
anywhere we do that today, so maybe I'm worrying about it too much.
> > As an added bonus, I've also written some stress testing, with lots of
> > tasks and listeners (1000 of each) sharing the same notification thread,
> > and not found any issues so far. Code is here:
> > https://github.com/tych0/kernel-utils/blob/master/seccomp/notify_stress.c
> > although I haven't included it in the patchset.
>
> That's excellent, thanks!
>
> > v2: https://lkml.org/lkml/2018/5/17/627
> >
> > Tycho Andersen (4):
> > seccomp: add a return code to trap to userspace
> > seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE
> > seccomp: add a way to get a listener fd from ptrace
> > seccomp: add support for passing fds via USER_NOTIF
>
> I'm under a time crunch with the merge window, but after -rc2 I should
> have time to give this some close review. FWIW, I expect this to enter
> -next this cycle and get it into the 4.19 merge window: we need the
> feature and the alternatives have been well explored and don't look
> workable.
No rush. I am preparing a v4 with the various comments in this thread
fixed, hopefully I'll send it out early next week.
Tycho
prev parent reply other threads:[~2018-06-08 21:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-31 14:49 [PATCH v3 0/4] seccomp trap to userspace Tycho Andersen
2018-05-31 14:49 ` [PATCH v3 1/4] seccomp: add a return code to " Tycho Andersen
2018-06-03 18:41 ` Jann Horn
2018-06-04 0:18 ` Tycho Andersen
2018-06-13 15:32 ` Jann Horn
2018-06-13 15:43 ` Jann Horn
[not found] ` <CA+RrjuW98m2coL+TOKq5cL0QhAb=HYxo2DpNoqMzdiwjqhc2BA@mail.gmail.com>
2018-06-12 23:16 ` Tycho Andersen
[not found] ` <CA+RrjuUtYoXfbH3cTbSY=QzXcxJsJOa0BL628ADy9N3bTO4=Mw@mail.gmail.com>
2018-06-14 21:03 ` Tycho Andersen
2018-06-14 21:53 ` Eric W. Biederman
2018-06-20 14:41 ` Tycho Andersen
2018-06-20 5:05 ` Tobin C . Harding
2018-06-20 5:53 ` Tobin C . Harding
[not found] ` <CA+RrjuUhFW+XU7RkZOM+f8cyDGOBjJrQHK3GruZmmCETb8ugfA@mail.gmail.com>
2018-06-20 14:55 ` Tycho Andersen
2018-05-31 14:49 ` [PATCH v3 2/4] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
2018-05-31 14:49 ` [PATCH v3 3/4] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-05-31 14:49 ` [PATCH v3 4/4] seccomp: add support for passing fds via USER_NOTIF Tycho Andersen
2018-06-02 13:13 ` Jann Horn
2018-06-02 18:18 ` Tycho Andersen
2018-06-02 19:14 ` Alban Crequy
2018-06-04 0:14 ` Tycho Andersen
2018-06-08 16:29 ` [PATCH v3 0/4] seccomp trap to userspace Kees Cook
2018-06-08 21:04 ` Tycho Andersen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180608210433.GA15707@cisco \
--to=tycho@tycho.ws \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=me@tobin.cc \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox