All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jann Horn <jannh@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Sargun Dhillon <sargun@sargun.me>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Linux Containers <containers@lists.linux-foundation.org>,
	Aleksa Sarai <cyphar@cyphar.com>,
	Jeffrey Vander Stoep <jeffv@google.com>,
	Linux API <linux-api@vger.kernel.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Chris Palmer <palmer@google.com>,
	Robert Sesek <rsesek@google.com>, Tycho Andersen <tycho@tycho.ws>,
	Matt Denton <mpdenton@google.com>,
	Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier
Date: Sat, 30 May 2020 05:17:24 +0200	[thread overview]
Message-ID: <CAG48ez0+BvbLoSc+zcZwnwfOSCFt2LHnUkzzt-d4LQFJYXZC9w@mail.gmail.com> (raw)
In-Reply-To: <202005291926.E9004B4@keescook>

On Sat, May 30, 2020 at 4:43 AM Kees Cook <keescook@chromium.org> wrote:
> I mean, yes, that's certainly better, but it just seems a shame that
> everyone has to do the get_unused/put_unused dance just because of how
> SCM_RIGHTS does this weird put_user() in the middle.
>
> Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> move the put_user() after instead?

Honestly, I think trying to remove file descriptors and such after
-EFAULT is a waste of time. If userspace runs into -EFAULT, userspace
is beyond saving and can't really do much other than exit immediately.
There are a bunch of places that will change state and then throw
-EFAULT at the end if userspace supplied an invalid address, because
trying to hold locks across userspace accesses just in case userspace
supplied a bogus address is kinda silly (and often borderline
impossible).

You can actually see that even scm_detach_fds() currently just
silently swallows errors if writing some header fields fails at the
end.

  reply	other threads:[~2020-05-30  3:17 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-28 11:08 [PATCH v2 0/3] Add seccomp notifier ioctl that enables adding fds Sargun Dhillon
2020-05-28 11:08 ` [PATCH v2 1/3] seccomp: Add find_notification helper Sargun Dhillon
2020-05-29  6:23   ` Kees Cook
2020-05-29 17:40     ` Sargun Dhillon
2020-05-29 20:14       ` Kees Cook
2020-05-29  9:57   ` Christian Brauner
2020-05-28 11:08 ` [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier Sargun Dhillon
2020-05-29  7:31   ` Kees Cook
2020-05-29  7:38     ` Christian Brauner
2020-05-29  7:45       ` Kees Cook
2020-05-30  1:10     ` Sargun Dhillon
2020-05-30  2:43       ` Kees Cook
2020-05-30  3:17         ` Jann Horn [this message]
2020-05-30  5:22           ` Kees Cook
2020-05-30 13:58           ` Christian Brauner
2020-05-30 16:09             ` Kees Cook
2020-05-30  3:58         ` Sargun Dhillon
2020-05-30  5:47           ` Kees Cook
2020-05-30 14:13             ` Christian Brauner
2020-05-30 16:14               ` Kees Cook
2020-05-30 16:21                 ` Christian Brauner
2020-05-30 14:08         ` Al Viro
2020-05-30 16:07           ` Kees Cook
2020-06-01 19:02             ` Sargun Dhillon
2020-06-01 19:59               ` Kees Cook
2020-05-29  9:24   ` Giuseppe Scrivano
2020-05-29 10:32   ` Christian Brauner
2020-05-29 13:31     ` Christian Brauner
2020-05-29 22:35       ` Sargun Dhillon
2020-05-28 11:08 ` [PATCH v2 3/3] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Sargun Dhillon
2020-05-29  7:41   ` Kees Cook
2020-05-29 13:29     ` Tycho Andersen
2020-05-29 18:46     ` Sargun Dhillon
2020-05-29 19:12       ` Tycho Andersen
2020-05-29 20:09       ` Kees Cook
2020-05-29 13:30 ` [PATCH v2 0/3] Add seccomp notifier ioctl that enables adding fds Tycho Andersen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAG48ez0+BvbLoSc+zcZwnwfOSCFt2LHnUkzzt-d4LQFJYXZC9w@mail.gmail.com \
    --to=jannh@google.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=cyphar@cyphar.com \
    --cc=jeffv@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mpdenton@google.com \
    --cc=palmer@google.com \
    --cc=rsesek@google.com \
    --cc=sargun@sargun.me \
    --cc=tycho@tycho.ws \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.