From: Christian Brauner <christian.brauner@ubuntu.com>
To: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>,
kernel list <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Matt Denton <mpdenton@google.com>,
Sargun Dhillon <sargun@sargun.me>,
Chris Palmer <palmer@google.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Robert Sesek <rsesek@google.com>,
Jeffrey Vander Stoep <jeffv@google.com>,
Linux Containers <containers@lists.linux-foundation.org>
Subject: Re: [PATCH v2 1/2] seccomp: notify user trap about unused filter
Date: Fri, 29 May 2020 09:51:37 +0200 [thread overview]
Message-ID: <20200529075137.gkwclirogbe3ae2a@wittgenstein> (raw)
In-Reply-To: <CAG48ez0k23qM2QEi42VTjCbnoY9_nfTH09B_Qr2zu+m3KWWUiQ@mail.gmail.com>
On Fri, May 29, 2020 at 01:32:03AM +0200, Jann Horn wrote:
> On Fri, May 29, 2020 at 1:11 AM Kees Cook <keescook@chromium.org> wrote:
> > On Thu, May 28, 2020 at 05:14:11PM +0200, Christian Brauner wrote:
> > > * @usage: reference count to manage the object lifetime.
> > > * get/put helpers should be used when accessing an instance
> > > * outside of a lifetime-guarded section. In general, this
> > > * is only needed for handling filters shared across tasks.
> > > [...]
> > > + * @live: Number of tasks that use this filter directly and number
> > > + * of dependent filters that have a non-zero @live counter.
> > > + * Altered during fork(), exit(), and filter installation
> > > [...]
> > > refcount_set(&sfilter->usage, 1);
> > > + refcount_set(&sfilter->live, 1);
> [...]
> > After looking at these other lifetime management examples in the kernel,
> > I'm convinced that tracking these states separately is correct, but I
> > remain uncomfortable about task management needing to explicitly make
> > two calls to let go of the filter.
> >
> > I wonder if release_task() should also detach the filter from the task
> > and do a put_seccomp_filter() instead of waiting for task_free(). This
> > is supported by the other place where seccomp_filter_release() is
> > called:
> >
> > > @@ -396,6 +400,7 @@ static inline void seccomp_sync_threads(unsigned long flags)
> > > * allows a put before the assignment.)
> > > */
> > > put_seccomp_filter(thread);
> > > + seccomp_filter_release(thread);
> >
> > This would also remove the only put_seccomp_filter() call outside of
> > seccomp.c, since the free_task() call will be removed now in favor of
> > the task_release() call.
> >
> > So, is it safe to detach the filter in release_task()? Has dethreading
> > happened yet? i.e. can we race TSYNC? -- is there a possible
> > inc-from-zero?
>
> release_task -> __exit_signal -> __unhash_process ->
> list_del_rcu(&p->thread_node) drops us from the thread list under
> siglock, which is the same lock TSYNC uses.
>
> One other interesting thing that can look at seccomp state is
> task_seccomp() in procfs - that can still happen at this point. At the
> moment, procfs only lets you see the numeric filter state, not the
> actual filter contents, so that's not a problem; but if we ever add a
> procfs interface for dumping seccomp filters (in addition to the
> ptrace interface that already exists), that's something to keep in
> mind.
Aside from this being not an issue now, can we please not dump seccomp
filter contents in proc. That sounds terrible and what's the rationale,
libseccomp already let's you dump filter contents while loading and you
could ptrace it. But maybe I'm missing a giant need for this...
Christian
next prev parent reply other threads:[~2020-05-29 7:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-28 15:14 [PATCH v2 1/2] seccomp: notify user trap about unused filter Christian Brauner
2020-05-28 15:14 ` [PATCH v2 2/2] tests: test seccomp filter notifications Christian Brauner
2020-05-29 5:41 ` Kees Cook
2020-05-29 8:00 ` Christian Brauner
2020-05-28 23:11 ` [PATCH v2 1/2] seccomp: notify user trap about unused filter Kees Cook
2020-05-28 23:32 ` Jann Horn
2020-05-29 5:36 ` Kees Cook
2020-05-29 7:51 ` Christian Brauner [this message]
2020-05-29 7:56 ` Kees Cook
2020-05-29 8:00 ` Christian Brauner
2020-05-29 8:50 ` Christian Brauner
2020-05-29 7:47 ` Christian Brauner
2020-05-29 8:02 ` Kees Cook
2020-05-29 7:56 ` Christian Brauner
2020-05-29 8:06 ` Kees Cook
2020-05-29 8:37 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200529075137.gkwclirogbe3ae2a@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=jannh@google.com \
--cc=jeffv@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mpdenton@google.com \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox