From: Kees Cook <keescook@chromium.org>
To: Sargun Dhillon <sargun@sargun.me>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <christian.brauner@ubuntu.com>,
Linux Containers <containers@lists.linux-foundation.org>,
Aleksa Sarai <cyphar@cyphar.com>, Jann Horn <jannh@google.com>,
Jeffrey Vander Stoep <jeffv@google.com>,
Linux API <linux-api@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Chris Palmer <palmer@google.com>,
Robert Sesek <rsesek@google.com>, Tycho Andersen <tycho@tycho.ws>,
Matt Denton <mpdenton@google.com>
Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier
Date: Mon, 1 Jun 2020 12:59:34 -0700 [thread overview]
Message-ID: <202006011259.07FAF4AA@keescook> (raw)
In-Reply-To: <CAMp4zn88ZKwKJyp+ekZnbVsjbTceHCM7d5yTqsR63BNP1QMv7Q@mail.gmail.com>
On Mon, Jun 01, 2020 at 12:02:10PM -0700, Sargun Dhillon wrote:
> On Sat, May 30, 2020 at 9:07 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote:
> > > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote:
> > >
> > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> > > > move the put_user() after instead? I think cleanup would just be:
> > > > replace_fd(fd, NULL, 0)
> > >
> > > Bollocks.
> > >
> > > Repeat after me: descriptor tables can be shared. There is no
> > > "cleanup" after you've put something there.
> >
> > Right -- this is what I was trying to ask about, and why I didn't like
> > the idea of just leaving the fd in the table on failure. But yeah, there
> > is a race if the process is about to fork or something.
> >
> > So the choice here is how to handle the put_user() failure:
> >
> > - add the put_user() address to the new helper, as I suggest in [1].
> > (exactly duplicates current behavior)
> > - just leave the fd in place (not current behavior: dumps a fd into
> > the process without "agreed" notification).
> > - do a double put_user (once before and once after), also in [1].
> > (sort of a best-effort combo of the above two. and SCM_RIGHTS is
> > hardly fast-pth).
> >
> > -Kees
> >
> > [1] https://lore.kernel.org/linux-api/202005282345.573B917@keescook/
> >
> > --
> > Kees Cook
>
> I'm going to suggest we stick to the approach of doing[1]:
> 1. Allocate FD
> 2. put_user
> 3. "Receive" and install file into FD
>
> That is the only way to preserve the current behaviour in which userspace
> is notified about *every* FD that is received via SCM_RIGHTS. The
> scm_detach_fds code as it reads today does effectively what is above,
> in that the fd is not installed until *after* the put user. Therefore
> if put_user
> gets an EFAULT or ENOMEM, it falls through to the MSG_CTRUNC bit.
>
> The approach suggested[2] has a "change" in behaviour, in that (all in
> file_receive):
> 1. Allocate FD
> 2. Receive file
> 3. put_user
>
> Based on what Al Viro said, I don't think we can simply add step #4,
> being "just" uninstall the FD.
>
> [1]: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2179418.html
> [2]: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2179453.html
Agreed. Thanks!
--
Kees Cook
next prev parent reply other threads:[~2020-06-01 19:59 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-28 11:08 [PATCH v2 0/3] Add seccomp notifier ioctl that enables adding fds Sargun Dhillon
2020-05-28 11:08 ` [PATCH v2 1/3] seccomp: Add find_notification helper Sargun Dhillon
2020-05-29 6:23 ` Kees Cook
2020-05-29 17:40 ` Sargun Dhillon
2020-05-29 20:14 ` Kees Cook
2020-05-29 9:57 ` Christian Brauner
2020-05-28 11:08 ` [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier Sargun Dhillon
2020-05-29 7:31 ` Kees Cook
2020-05-29 7:38 ` Christian Brauner
2020-05-29 7:45 ` Kees Cook
2020-05-30 1:10 ` Sargun Dhillon
2020-05-30 2:43 ` Kees Cook
2020-05-30 3:17 ` Jann Horn
2020-05-30 5:22 ` Kees Cook
2020-05-30 13:58 ` Christian Brauner
2020-05-30 16:09 ` Kees Cook
2020-05-30 3:58 ` Sargun Dhillon
2020-05-30 5:47 ` Kees Cook
2020-05-30 14:13 ` Christian Brauner
2020-05-30 16:14 ` Kees Cook
2020-05-30 16:21 ` Christian Brauner
2020-05-30 14:08 ` Al Viro
2020-05-30 16:07 ` Kees Cook
2020-06-01 19:02 ` Sargun Dhillon
2020-06-01 19:59 ` Kees Cook [this message]
2020-05-29 9:24 ` Giuseppe Scrivano
2020-05-29 10:32 ` Christian Brauner
2020-05-29 13:31 ` Christian Brauner
2020-05-29 22:35 ` Sargun Dhillon
2020-05-28 11:08 ` [PATCH v2 3/3] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Sargun Dhillon
2020-05-29 7:41 ` Kees Cook
2020-05-29 13:29 ` Tycho Andersen
2020-05-29 18:46 ` Sargun Dhillon
2020-05-29 19:12 ` Tycho Andersen
2020-05-29 20:09 ` Kees Cook
2020-05-29 13:30 ` [PATCH v2 0/3] Add seccomp notifier ioctl that enables adding fds Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006011259.07FAF4AA@keescook \
--to=keescook@chromium.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=jannh@google.com \
--cc=jeffv@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpdenton@google.com \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.