From: Kees Cook <keescook@chromium.org>
To: Sargun Dhillon <sargun@sargun.me>
Cc: David Laight <David.Laight@ACULAB.COM>,
Christian Brauner <christian.brauner@ubuntu.com>,
"containers@lists.linux-foundation.org"
<containers@lists.linux-foundation.org>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Robert Sesek <rsesek@google.com>,
Chris Palmer <palmer@google.com>, Jann Horn <jannh@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Matt Denton <mpdenton@google.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Tejun Heo <tj@kernel.org>, Al Viro <viro@zeniv.linux.org.uk>,
"cgroups@vger.kernel.org" <cgroups@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes
Date: Fri, 12 Jun 2020 08:13:25 -0700 [thread overview]
Message-ID: <202006120806.E770867EF@keescook> (raw)
In-Reply-To: <20200612104629.GA15814@ircssh-2.c.rugged-nimbus-611.internal>
On Fri, Jun 12, 2020 at 10:46:30AM +0000, Sargun Dhillon wrote:
> My suggest, written out (no idea if this code actually works), is as follows:
>
> ioctl.h:
> /* This needs to be added */
> #define IOCDIR_MASK (_IOC_DIRMASK << _IOC_DIRSHIFT)
This exists already:
#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
>
>
> seccomp.h:
>
> struct struct seccomp_notif_addfd {
> __u64 fd;
> ...
> }
>
> /* or IOW? */
> #define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOWR(3, struct seccomp_notif_addfd)
>
> seccomp.c:
> static long seccomp_notify_addfd(struct seccomp_filter *filter,
> struct seccomp_notif_addfd __user *uaddfd int size)
> {
> struct seccomp_notif_addfd addfd;
> int ret;
>
> if (size < 32)
> return -EINVAL;
> if (size > PAGE_SIZE)
> return -E2BIG;
(Tanget: what was the reason for copy_struct_from_user() not including
the min/max check? I have a memory of Al objecting to having an
"internal" limit?)
>
> ret = copy_struct_from_user(&addfd, sizeof(addfd), uaddfd, size);
> if (ret)
> return ret;
>
> ...
> }
>
> /* Mask out size */
> #define SIZE_MASK(cmd) (~IOCSIZE_MASK & cmd)
>
> /* Mask out direction */
> #define DIR_MASK(cmd) (~IOCDIR_MASK & cmd)
>
> static long seccomp_notify_ioctl(struct file *file, unsigned int cmd,
> unsigned long arg)
> {
> struct seccomp_filter *filter = file->private_data;
> void __user *buf = (void __user *)arg;
>
> /* Fixed size ioctls. Can be converted later on? */
> switch (cmd) {
> case SECCOMP_IOCTL_NOTIF_RECV:
> return seccomp_notify_recv(filter, buf);
> case SECCOMP_IOCTL_NOTIF_SEND:
> return seccomp_notify_send(filter, buf);
> case SECCOMP_IOCTL_NOTIF_ID_VALID:
> return seccomp_notify_id_valid(filter, buf);
> }
>
> /* Probably should make some nicer macros here */
> switch (SIZE_MASK(DIR_MASK(cmd))) {
> case SIZE_MASK(DIR_MASK(SECCOMP_IOCTL_NOTIF_ADDFD)):
Ah yeah, I like this because of what you mention below: it's forward
compat too. (I'd just use the ioctl masks directly...)
switch (cmd & ~(_IOC_SIZEMASK | _IOC_DIRMASK))
> return seccomp_notify_addfd(filter, buf, _IOC_SIZE(cmd));
I really like that this ends up having the same construction as a
standard EA syscall: the size is part of the syscall arguments.
> default:
> return -EINVAL;
> }
> }
>
> --------
>
> What boxes does this tick?
> * Forwards (and backwards) compatibility
> * Applies to existing commands
> * Command can be extended without requiring new ioctl to be defined
(Technically, a new one is always redefined, but it's automatic in that
the kernel needs to do nothing.)
> * It well accomodates the future where we want to have a kernel
> helper copy the structures from userspace
Yeah, this is a good solution.
> The fact that the size of the argument struct, and the ioctl are defined in the
> same header gives us the ability to "cheat", and for the argument size to be
> included / embedded for free in the command passed to ioctl. In turn, this
> gives us two benefits. First, it means we don't have to copy from user twice,
> and can just do it all in one shot since the size is passed with the syscall
> arguments. Second, it means that the user does not have to do the following:
>
> seccomp_notif_addfd addfd = {};
> addfd.size = sizeof(struct seccomp_notif_addfd)
>
> Because sizeof(struct seccomp_notif_addfd) is embedded in
> SECCOMP_IOCTL_NOTIF_ADDFD based on the same headers they plucked the struct out of.
Cool. I will do more patch reworking! ;)
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
To: Sargun Dhillon <sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org>
Cc: David Laight
<David.Laight-ZS65k/vG3HxXrIkS9f7CXA@public.gmane.org>,
Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
"containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org"
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Giuseppe Scrivano
<gscrivan-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Robert Sesek <rsesek-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Chris Palmer <palmer-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Jann Horn <jannh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Matt Denton <mpdenton-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
"cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"David S . Miller"
<davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Subject: Re: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes
Date: Fri, 12 Jun 2020 08:13:25 -0700 [thread overview]
Message-ID: <202006120806.E770867EF@keescook> (raw)
In-Reply-To: <20200612104629.GA15814-du9IEJ8oIxHXYT48pCVpJ3c7ZZ+wIVaZYkHkVr5ML8kVGlcevz2xqA@public.gmane.org>
On Fri, Jun 12, 2020 at 10:46:30AM +0000, Sargun Dhillon wrote:
> My suggest, written out (no idea if this code actually works), is as follows:
>
> ioctl.h:
> /* This needs to be added */
> #define IOCDIR_MASK (_IOC_DIRMASK << _IOC_DIRSHIFT)
This exists already:
#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
>
>
> seccomp.h:
>
> struct struct seccomp_notif_addfd {
> __u64 fd;
> ...
> }
>
> /* or IOW? */
> #define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOWR(3, struct seccomp_notif_addfd)
>
> seccomp.c:
> static long seccomp_notify_addfd(struct seccomp_filter *filter,
> struct seccomp_notif_addfd __user *uaddfd int size)
> {
> struct seccomp_notif_addfd addfd;
> int ret;
>
> if (size < 32)
> return -EINVAL;
> if (size > PAGE_SIZE)
> return -E2BIG;
(Tanget: what was the reason for copy_struct_from_user() not including
the min/max check? I have a memory of Al objecting to having an
"internal" limit?)
>
> ret = copy_struct_from_user(&addfd, sizeof(addfd), uaddfd, size);
> if (ret)
> return ret;
>
> ...
> }
>
> /* Mask out size */
> #define SIZE_MASK(cmd) (~IOCSIZE_MASK & cmd)
>
> /* Mask out direction */
> #define DIR_MASK(cmd) (~IOCDIR_MASK & cmd)
>
> static long seccomp_notify_ioctl(struct file *file, unsigned int cmd,
> unsigned long arg)
> {
> struct seccomp_filter *filter = file->private_data;
> void __user *buf = (void __user *)arg;
>
> /* Fixed size ioctls. Can be converted later on? */
> switch (cmd) {
> case SECCOMP_IOCTL_NOTIF_RECV:
> return seccomp_notify_recv(filter, buf);
> case SECCOMP_IOCTL_NOTIF_SEND:
> return seccomp_notify_send(filter, buf);
> case SECCOMP_IOCTL_NOTIF_ID_VALID:
> return seccomp_notify_id_valid(filter, buf);
> }
>
> /* Probably should make some nicer macros here */
> switch (SIZE_MASK(DIR_MASK(cmd))) {
> case SIZE_MASK(DIR_MASK(SECCOMP_IOCTL_NOTIF_ADDFD)):
Ah yeah, I like this because of what you mention below: it's forward
compat too. (I'd just use the ioctl masks directly...)
switch (cmd & ~(_IOC_SIZEMASK | _IOC_DIRMASK))
> return seccomp_notify_addfd(filter, buf, _IOC_SIZE(cmd));
I really like that this ends up having the same construction as a
standard EA syscall: the size is part of the syscall arguments.
> default:
> return -EINVAL;
> }
> }
>
> --------
>
> What boxes does this tick?
> * Forwards (and backwards) compatibility
> * Applies to existing commands
> * Command can be extended without requiring new ioctl to be defined
(Technically, a new one is always redefined, but it's automatic in that
the kernel needs to do nothing.)
> * It well accomodates the future where we want to have a kernel
> helper copy the structures from userspace
Yeah, this is a good solution.
> The fact that the size of the argument struct, and the ioctl are defined in the
> same header gives us the ability to "cheat", and for the argument size to be
> included / embedded for free in the command passed to ioctl. In turn, this
> gives us two benefits. First, it means we don't have to copy from user twice,
> and can just do it all in one shot since the size is passed with the syscall
> arguments. Second, it means that the user does not have to do the following:
>
> seccomp_notif_addfd addfd = {};
> addfd.size = sizeof(struct seccomp_notif_addfd)
>
> Because sizeof(struct seccomp_notif_addfd) is embedded in
> SECCOMP_IOCTL_NOTIF_ADDFD based on the same headers they plucked the struct out of.
Cool. I will do more patch reworking! ;)
--
Kees Cook
next prev parent reply other threads:[~2020-06-12 15:13 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 1:10 [PATCH v3 0/4] Add seccomp notifier ioctl that enables adding fds Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes Sargun Dhillon
2020-06-03 1:10 ` Sargun Dhillon
2020-06-04 1:24 ` Christian Brauner
2020-06-04 1:24 ` Christian Brauner
2020-06-04 2:22 ` Kees Cook
2020-06-04 5:20 ` Sargun Dhillon
2020-06-04 12:52 ` Christian Brauner
2020-06-04 13:28 ` David Laight
2020-06-04 13:28 ` David Laight
2020-06-05 7:54 ` Sargun Dhillon
2020-06-09 19:43 ` Kees Cook
2020-06-09 20:03 ` Christian Brauner
2020-06-09 20:03 ` Christian Brauner
2020-06-09 20:55 ` Kees Cook
2020-06-09 21:27 ` Christian Brauner
2020-06-10 5:27 ` Kees Cook
2020-06-10 5:27 ` Kees Cook
2020-06-10 8:12 ` Sargun Dhillon
2020-06-10 8:48 ` David Laight
2020-06-10 8:48 ` David Laight
2020-06-11 3:02 ` Kees Cook
2020-06-11 3:02 ` Kees Cook
2020-06-11 7:51 ` David Laight
2020-06-11 7:51 ` David Laight
2020-06-10 17:10 ` Kees Cook
2020-06-10 17:10 ` Kees Cook
2020-06-11 2:59 ` Kees Cook
2020-06-11 2:59 ` Kees Cook
2020-06-11 4:41 ` Sargun Dhillon
2020-06-11 4:41 ` Sargun Dhillon
2020-06-11 9:19 ` Christian Brauner
2020-06-11 10:39 ` Sargun Dhillon
2020-06-11 23:23 ` Kees Cook
2020-06-11 10:01 ` Christian Brauner
2020-06-11 10:01 ` Christian Brauner
2020-06-11 11:06 ` Sargun Dhillon
2020-06-11 14:42 ` Christian Brauner
2020-06-11 14:42 ` Christian Brauner
2020-06-11 14:56 ` David Laight
2020-06-11 23:49 ` Kees Cook
2020-06-11 23:49 ` Kees Cook
2020-06-12 6:58 ` Kees Cook
2020-06-12 6:58 ` Kees Cook
2020-06-12 8:36 ` David Laight
2020-06-12 8:36 ` David Laight
2020-06-12 10:46 ` Sargun Dhillon
2020-06-12 10:46 ` Sargun Dhillon
2020-06-12 15:13 ` Kees Cook [this message]
2020-06-12 15:13 ` Kees Cook
2020-06-12 15:55 ` David Laight
2020-06-12 18:28 ` Christian Brauner
2020-06-12 18:38 ` Kees Cook
2020-06-12 18:42 ` Christian Brauner
2020-06-15 8:27 ` David Laight
2020-06-10 9:30 ` Christian Brauner
2020-06-10 9:30 ` Christian Brauner
2020-06-04 3:39 ` Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 2/4] pid: Use file_receive helper to copy FDs Sargun Dhillon
2020-06-03 1:10 ` Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 3/4] seccomp: Introduce addfd ioctl to seccomp user notifier Sargun Dhillon
2020-06-03 1:10 ` [PATCH v3 4/4] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Sargun Dhillon
2020-06-03 21:25 ` [PATCH v3 0/4] Add seccomp notifier ioctl that enables adding fds Robert Sesek
2020-06-03 23:42 ` Kees Cook
2020-06-03 23:56 ` Sargun Dhillon
2020-06-04 2:44 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006120806.E770867EF@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@ACULAB.COM \
--cc=cgroups@vger.kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpdenton@google.com \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.