From: Tycho Andersen <tycho@tycho.ws>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org, Matthew Denton <mpdenton@google.com>
Subject: Re: [PATCH] seccomp: allow TSYNC and USER_NOTIF together
Date: Tue, 3 Mar 2020 07:56:35 -0700 [thread overview]
Message-ID: <20200303145635.GC15783@cisco> (raw)
In-Reply-To: <202003022137.9DAB55E6F0@keescook>
On Mon, Mar 02, 2020 at 09:48:34PM -0800, Kees Cook wrote:
> On Thu, Feb 06, 2020 at 09:50:27AM -0700, Tycho Andersen wrote:
> > The restriction introduced in 7a0df7fbc145 ("seccomp: Make NEW_LISTENER and
> > TSYNC flags exclusive") is mostly artificial: there is enough information
> > in a seccomp user notification to tell which thread triggered a
> > notification. The reason it was introduced is because TSYNC makes the
> > syscall return a thread-id on failure, and NEW_LISTENER returns an fd, and
> > there's no way to distinguish between these two cases (well, I suppose the
> > caller could check all fds it has, then do the syscall, and if the return
> > value was an fd that already existed, then it must be a thread id, but
> > bleh).
> >
> > Matthew would like to use these two flags together in the Chrome sandbox
> > which wants to use TSYNC for video drivers and NEW_LISTENER to proxy
> > syscalls.
> >
> > So, let's fix this ugliness by adding another flag, NO_TID_ON_TSYNC_ERR,
> > which tells the kernel to just return -EAGAIN on a TSYNC error. This way,
> > NEW_LISTENER (and any subsequent seccomp() commands that want to return
> > positive values) don't conflict with each other.
> >
> > Suggested-by: Matthew Denton <mpdenton@google.com>
> > Signed-off-by: Tycho Andersen <tycho@tycho.ws>
>
> Thanks for this! (And thanks for waiting on my review!) Yeah, this
> makes things much more sensible. If we get a third thing that wants
> to be returned, we'll have to rev the userspace struct API to have an
> "output" area. :P
Yeah :)
> Bike shedding below...
>
> > ---
> > include/linux/seccomp.h | 3 +-
> > include/uapi/linux/seccomp.h | 1 +
> > kernel/seccomp.c | 14 +++-
> > tools/testing/selftests/seccomp/seccomp_bpf.c | 74 ++++++++++++++++++-
> > 4 files changed, 86 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
> > index 03583b6d1416..e0560a941ed1 100644
> > --- a/include/linux/seccomp.h
> > +++ b/include/linux/seccomp.h
> > @@ -7,7 +7,8 @@
> > #define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \
> > SECCOMP_FILTER_FLAG_LOG | \
> > SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
> > - SECCOMP_FILTER_FLAG_NEW_LISTENER)
> > + SECCOMP_FILTER_FLAG_NEW_LISTENER | \
> > + SECCOMP_FILTER_FLAG_NO_TID_ON_TSYNC_ERR)
> >
> > #ifdef CONFIG_SECCOMP
> >
> > diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
> > index be84d87f1f46..64678cc20e18 100644
> > --- a/include/uapi/linux/seccomp.h
> > +++ b/include/uapi/linux/seccomp.h
> > @@ -22,6 +22,7 @@
> > #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
> > #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
> > #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
> > +#define SECCOMP_FILTER_FLAG_NO_TID_ON_TSYNC_ERR (1UL << 4)
>
> Bikeshed: what do you think about calling this
>
> SECCOMP_FILTER_FLAG_TSYNC_ESRCH
>
> to mean "I don't care _which_ thread, just fail" (See below about the
> ESRCH bit...)
Will do.
> >
> > /*
> > * All BPF programs must return a 32-bit value.
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index b6ea3dcb57bf..fa01ec085d60 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -528,8 +528,12 @@ static long seccomp_attach_filter(unsigned int flags,
> > int ret;
> >
> > ret = seccomp_can_sync_threads();
> > - if (ret)
> > - return ret;
> > + if (ret) {
> > + if (flags & SECCOMP_FILTER_FLAG_NO_TID_ON_TSYNC_ERR)
> > + return -EAGAIN;
>
> Hm hm, I think EAGAIN is wrong here: this isn't likely to be a transient
> failure (unless the offending thread dies). The two ways TSYNC can fail
> are if a thread has seccomp mode 1 set, or if the thread's filter
> ancestry has already diverged. Trying again isn't really going to help
> (which is why the original motivation was to return thread details to
> help debug why TSYNC failed).
>
> In the case where the thread id can't be found (container visibility??),
> we fail with -ESRCH. That might be more sensible than -EAGAIN here. (Or
> maybe -EBUSY?)
-ESRCH seems good, I'll resend with that.
Cheers,
Tycho
prev parent reply other threads:[~2020-03-03 14:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-06 16:50 [PATCH] seccomp: allow TSYNC and USER_NOTIF together Tycho Andersen
2020-03-03 5:48 ` Kees Cook
2020-03-03 14:56 ` Tycho Andersen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200303145635.GC15783@cisco \
--to=tycho@tycho.ws \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpdenton@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox