From: Tycho Andersen <tycho-E0fblnxP3wo@public.gmane.org>
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Akihiro Suda
<suda.akihiro-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Eric W . Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Tyler Hicks <tyhicks-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Subject: Re: [RFC 1/3] seccomp: add a return code to trap to userspace
Date: Sun, 4 Feb 2018 21:01:29 +0100 [thread overview]
Message-ID: <20180204200129.2bgq5yfaimg6xdg5@cisco> (raw)
In-Reply-To: <CALCETrWgu5n+SMqrsZQ7MVYPtzs8otuc7hpA5uPH+JNtFrMBkQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Hi Andy,
On Sun, Feb 04, 2018 at 05:36:33PM +0000, Andy Lutomirski wrote:
> > The actual implementation of this is fairly small, although getting the
> > synchronization right was/is slightly complex. Also worth noting that there
> > is one race still present:
> >
> > 1. a task does a SECCOMP_RET_USER_NOTIF
> > 2. the userspace handler reads this notification
> > 3. the task dies
> > 4. a new task with the same pid starts
> > 5. this new task does a SECCOMP_RET_USER_NOTIF, gets the same cookie id
> > that the previous one did
> > 6. the userspace handler writes a response
>
> I'm slightly confused. I thought the id was never reused for a given
> struct seccomp_filter. (Also, shouldn't the id be u64, not u32?)
Well, what happens when u32/64 overflows? Eventually it will wrap.
> On very quick reading, I have a question. What happens if a process
> has two seccomp_filters attached, one of them returns
> SECCOMP_RET_USER_NOTIF, and the *other* one has a listener?
Good question, in seccomp_run_filters(), the first (lowest, last
applied) filter who returns SECCOMP_RET_USER_NOTIF is the one that
gets the notification and the other receives nothing.
I don't really have any reason to prefer this behavior, it's just what
happened without much thought.
Cheers,
Tycho
WARNING: multiple messages have this Message-ID (diff)
From: Tycho Andersen <tycho@tycho.ws>
To: Andy Lutomirski <luto@amacapital.net>
Cc: LKML <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Subject: Re: [RFC 1/3] seccomp: add a return code to trap to userspace
Date: Sun, 4 Feb 2018 21:01:29 +0100 [thread overview]
Message-ID: <20180204200129.2bgq5yfaimg6xdg5@cisco> (raw)
In-Reply-To: <CALCETrWgu5n+SMqrsZQ7MVYPtzs8otuc7hpA5uPH+JNtFrMBkQ@mail.gmail.com>
Hi Andy,
On Sun, Feb 04, 2018 at 05:36:33PM +0000, Andy Lutomirski wrote:
> > The actual implementation of this is fairly small, although getting the
> > synchronization right was/is slightly complex. Also worth noting that there
> > is one race still present:
> >
> > 1. a task does a SECCOMP_RET_USER_NOTIF
> > 2. the userspace handler reads this notification
> > 3. the task dies
> > 4. a new task with the same pid starts
> > 5. this new task does a SECCOMP_RET_USER_NOTIF, gets the same cookie id
> > that the previous one did
> > 6. the userspace handler writes a response
>
> I'm slightly confused. I thought the id was never reused for a given
> struct seccomp_filter. (Also, shouldn't the id be u64, not u32?)
Well, what happens when u32/64 overflows? Eventually it will wrap.
> On very quick reading, I have a question. What happens if a process
> has two seccomp_filters attached, one of them returns
> SECCOMP_RET_USER_NOTIF, and the *other* one has a listener?
Good question, in seccomp_run_filters(), the first (lowest, last
applied) filter who returns SECCOMP_RET_USER_NOTIF is the one that
gets the notification and the other receives nothing.
I don't really have any reason to prefer this behavior, it's just what
happened without much thought.
Cheers,
Tycho
next prev parent reply other threads:[~2018-02-04 20:01 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-04 10:49 [RFC 0/3] seccomp trap to userspace Tycho Andersen
2018-02-04 10:49 ` [RFC 1/3] seccomp: add a return code to " Tycho Andersen
2018-02-13 21:09 ` Kees Cook
[not found] ` <CAGXu5jLAAKY19a9iC1PmXRyuwdn1Zxr2Cb318zdzkqgYt8vtdg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 15:29 ` Tycho Andersen
2018-02-14 15:29 ` Tycho Andersen
2018-02-14 17:19 ` Andy Lutomirski
2018-02-14 17:23 ` Tycho Andersen
2018-02-15 14:48 ` Christian Brauner
[not found] ` <CALCETrXeZZfVzXh7SwKhyB=+ySDk5fhrrdrXrcABsQ=JpQT7Tg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 17:23 ` Tycho Andersen
2018-02-15 14:48 ` Christian Brauner
2018-02-27 0:49 ` Kees Cook
2018-02-27 0:49 ` Kees Cook
[not found] ` <CAGXu5jKBmej+fXhEc+Jy7Guy+vXEZkHnc=4LNm1NNEsc1=DFVA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-27 3:27 ` Andy Lutomirski
2018-02-27 3:27 ` Andy Lutomirski
2018-02-14 17:19 ` Andy Lutomirski
[not found] ` <20180204104946.25559-2-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-04 17:36 ` Andy Lutomirski
2018-02-04 17:36 ` Andy Lutomirski
[not found] ` <CALCETrWgu5n+SMqrsZQ7MVYPtzs8otuc7hpA5uPH+JNtFrMBkQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-04 20:01 ` Tycho Andersen [this message]
2018-02-04 20:01 ` Tycho Andersen
2018-02-04 20:33 ` Andy Lutomirski
[not found] ` <CALCETrV81yr_zhuBbCTE8NgYx42oq=qvP=nLMsST0iS2wtOZng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-05 8:47 ` Tycho Andersen
2018-02-05 8:47 ` Tycho Andersen
2018-02-04 20:33 ` Andy Lutomirski
2018-02-13 21:09 ` Kees Cook
2018-02-04 10:49 ` [RFC 2/3] seccomp: hoist out filter resolving logic Tycho Andersen
[not found] ` <20180204104946.25559-3-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-13 21:29 ` Kees Cook
2018-02-13 21:29 ` Kees Cook
2018-02-14 15:33 ` Tycho Andersen
2018-02-14 15:33 ` Tycho Andersen
[not found] ` <20180204104946.25559-1-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-04 10:49 ` [RFC 1/3] seccomp: add a return code to trap to userspace Tycho Andersen
2018-02-04 10:49 ` [RFC 2/3] seccomp: hoist out filter resolving logic Tycho Andersen
2018-02-04 10:49 ` [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-03-15 16:09 ` [RFC 0/3] seccomp trap to userspace Christian Brauner
2018-02-04 10:49 ` [RFC 3/3] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
[not found] ` <20180204104946.25559-4-tycho-E0fblnxP3wo@public.gmane.org>
2018-02-13 21:32 ` Kees Cook
2018-02-13 21:32 ` Kees Cook
[not found] ` <CAGXu5jLS2dzCjZOKa-W4kUdOPoJkRAq5Rsw1t5jX99v34yaoQw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-02-14 15:33 ` Tycho Andersen
2018-02-14 15:33 ` Tycho Andersen
2018-03-15 16:09 ` [RFC 0/3] seccomp trap to userspace Christian Brauner
[not found] ` <20180315160924.GA12744-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2018-03-15 16:56 ` Andy Lutomirski
2018-03-15 16:56 ` Andy Lutomirski
2018-03-15 17:05 ` Serge E. Hallyn
2018-03-15 17:11 ` Andy Lutomirski
2018-03-15 17:35 ` Tycho Andersen
2018-03-16 0:46 ` Andy Lutomirski
2018-03-16 0:46 ` Andy Lutomirski
[not found] ` <CALCETrWH7HbY2gS6O_cYKfp9QqqWBWVcHb++GaP3uUiSO9oo6g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-16 14:47 ` Christian Brauner
2018-03-16 14:47 ` Christian Brauner
2018-03-16 16:01 ` Andy Lutomirski
[not found] ` <D73E5C37-DC92-4D58-A163-0B20143AAEEB-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2018-03-16 16:40 ` Christian Brauner
2018-03-16 16:40 ` Christian Brauner
[not found] ` <20180316144751.GA3304-cl+VPiYnx/1AfugRpC6u6w@public.gmane.org>
2018-03-16 16:01 ` Andy Lutomirski
[not found] ` <CALCETrXPcCNbpFJhXktkVS9gOPpmnU_bbY6Z8RrsBarq0dP4Lg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-15 17:25 ` Christian Brauner
2018-03-15 17:25 ` Christian Brauner
[not found] ` <20180315172558.GA28108-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2018-03-15 17:30 ` Andy Lutomirski
2018-03-15 17:30 ` Andy Lutomirski
2018-03-15 17:35 ` Tycho Andersen
[not found] ` <20180315170509.GA32766-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2018-03-15 17:11 ` Andy Lutomirski
[not found] ` <CALCETrVnvbZLx5v=DMu2N1JtR+ys507X5CYBi-qQnus3VMQdwg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-15 17:05 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180204200129.2bgq5yfaimg6xdg5@cisco \
--to=tycho-e0fblnxp3wo@public.gmane.org \
--cc=christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=suda.akihiro-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org \
--cc=tyhicks-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.