Re: [PATCH v6 3/5] seccomp: add a way to get a listener fd from ptrace

From: Michael Tirado <mtirado418@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>, Tycho Andersen <tycho@tycho.ws>
Cc: LKML <linux-kernel@vger.kernel.org>, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v6 3/5] seccomp: add a way to get a listener fd from ptrace
Date: Wed, 17 Oct 2018 07:25:00 +0000	[thread overview]
Message-ID: <CAMkWEXNN2_saQN-yQ7Pwgau1YTYQQuih+KLnKj5-cOYa6CyMPw@mail.gmail.com> (raw)
In-Reply-To: <CALCETrXGBZyqDb7DEysHmOkxaBrXUp4s2X08HfqZkpjM28s3Hg@mail.gmail.com>

On Thu, Sep 13, 2018 at 12:02 AM Andy Lutomirski <luto@amacapital.net> wrote:
>
> Or we could have a
> seccomp() mode that adds a filter but only kicks in after execve().
>
> --Andy

Hey that's a pretty good idea, then we could block execve in a seccomp
launcher without post-exec cooperation, or that patch I wrote that used
an execve counter which probably should have been through prctl instead.

As for the rest of this long thread,
has anyone mentioned a specific use case that I missed? I didn't see code
patches sent to the linux-kernel mailing list, only this discussion thread
so I'm probably missing some important context.  Was it for loading modules
into kernel from a container?  Couldn't that be handled completely in user
space without using seccomp at all? Do we really want to turn seccomp into
a container IPC mechanism? It seems out of scope IMO, and especially
if it could be handled in user space already.

Why does it have to be a file descriptor, what would you be writing back to?
Could waitid be used somehow instead of ptrace to get notification
from a filter?
tldr, can someone kindly tell me how to find all the details surrounding these
patches so I can stop making really bad guesses?