From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-f196.google.com ([209.85.214.196]:33831 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727638AbeJIXrJ (ORCPT ); Tue, 9 Oct 2018 19:47:09 -0400 Received: by mail-pl1-f196.google.com with SMTP id f18-v6so1100784plr.1 for ; Tue, 09 Oct 2018 09:29:24 -0700 (PDT) Date: Tue, 9 Oct 2018 09:29:21 -0700 From: Tycho Andersen To: Christian Brauner Cc: Kees Cook , Jann Horn , Linux API , Linux Containers , Akihiro Suda , Oleg Nesterov , LKML , "Eric W . Biederman" , "linux-fsdevel@vger.kernel.org" , Christian Brauner , Andy Lutomirski Subject: Re: [PATCH v7 1/6] seccomp: add a return code to trap to userspace Message-ID: <20181009162921.GC10149@cisco> References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-2-tycho@tycho.ws> <20180927224839.GF15491@cisco.cisco.com> <20181008145803.ycawjwhc3mwkdogf@brauner.io> <20181009142833.GA10149@cisco> <20181009162413.sry5hnplvvpjggd4@brauner.io> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181009162413.sry5hnplvvpjggd4@brauner.io> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Oct 09, 2018 at 06:24:14PM +0200, Christian Brauner wrote: > On Tue, Oct 09, 2018 at 07:28:33AM -0700, Tycho Andersen wrote: > > On Mon, Oct 08, 2018 at 04:58:05PM +0200, Christian Brauner wrote: > > > On Thu, Sep 27, 2018 at 04:48:39PM -0600, Tycho Andersen wrote: > > > > On Thu, Sep 27, 2018 at 02:31:24PM -0700, Kees Cook wrote: > > > > > I have to say, I'm vaguely nervous about changing the semantics here > > > > > for passing back the fd as the return code from the seccomp() syscall. > > > > > Alternatives seem less appealing, though: changing the meaning of the > > > > > uargs parameter when SECCOMP_FILTER_FLAG_NEW_LISTENER is set, for > > > > > example. Hmm. > > > > > > > > From my perspective we can drop this whole thing. The only thing I'll > > > > ever use is the ptrace version. Someone at some point (I don't > > > > remember who, maybe stgraber) suggested this version would be useful > > > > as well. > > > > > > So I think we want to have the ability to get an fd via seccomp(). > > > Especially, if we all we worry about are weird semantics. When we > > > discussed this we knew the whole patchset was going to be weird. :) > > > > > > This is a seccomp feature so seccomp should - if feasible - equip you > > > with everything to use it in a meaningful way without having to go > > > through a different kernel api. I know ptrace and seccomp are > > > already connected but I still find this cleaner. :) > > > > > > Another thing is that the container itself might be traced for some > > > reason while you still might want to get an fd out. > > > > Sure, I don't see the problem here. > > How'd you to PTRACE_ATTACH in that case? Oh, you mean if someone has *ptrace*'d the task, and a third party wants to get a seccomp fd? I think "too bad" is the answer; I don't really mind not supporting this case. > Anyway, the whole point is as we've discusses in the other thread we > really want a one-syscall-only, purely-seccomp() based way of getting > the fd. There are multiple options to get the fd even when you block > sendmsg()/socket() whatever and there's no good reason to only be able > to get the fd via a three-syscall-ptrace dance. :) Ok, I'll leave these bits in then for v8. Tycho