From: Tycho Andersen <tycho@tycho.ws>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Tyler Hicks <tyhicks@canonical.com>,
Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
Jann Horn <jannh@google.com>
Subject: Re: [PATCH v6 4/5] seccomp: add support for passing fds via USER_NOTIF
Date: Fri, 21 Sep 2018 16:03:36 -0600 [thread overview]
Message-ID: <20180921220336.GU4672@cisco> (raw)
In-Reply-To: <CALCETrWxjLw6-pMcOydDxbf6KfMrYZcdriTk5g7U3Ba6cRNJNg@mail.gmail.com>
On Fri, Sep 21, 2018 at 11:27:59AM -0700, Andy Lutomirski wrote:
> On Fri, Sep 21, 2018 at 6:39 AM Tycho Andersen <tycho@tycho.ws> wrote:
> >
> > On Thu, Sep 20, 2018 at 07:18:45PM -0700, Andy Lutomirski wrote:
> > >
> > > I think we just want the operation to cover all the cases. Let PUT_FD
> > > take a source fd and a dest fd. If the source fd is -1, the dest is
> > > closed. If the source is -1 and the dest is -1, return -EINVAL. If
> > > the dest is -1, allocate an fd. If the dest is >= 0, work like
> > > dup2(). (The latter could be necessary to emulate things like, say,
> > > dup2 :))
> >
> > ...then if we're going to allow overwriting fds, we'd need to lift out
> > the logic from do_dup2 somewhere? Is this getting too complicated? :)
> >
>
> fds are complicated :-p
:D
> More seriously, though, I think it's okay if we don't support
> everything out of the box. getting the general semantics I suggested
> is kind of nice because the resulting API is conceptually simple, even
> if it encapsulates three cases. But I'd be okay with only supporting
> add-an-fd-at-an-unused-position and delete-an-fd out of the box --
> more can be added if there's demand.
It's the delete/replace-an-fd one that has me worried. Anyway, I'll
take a look and see what I can figure out.
> But I think that exposing an operation that allocates and reserves an
> fd without putting anything in the slot is awkward, and it opens us up
> to weird corner cases becoming visible that are currently there but
> mostly hidden. For example, what happens if someone overwrites a
> reserved fd with dup2()? (The answer is apparently -EBUSY -- see the
> big comment in do_dup2() in fs/file.c.) But there's a more
> significant nastiness: what happens if someone abuses your new
> mechanism to overwrite a reserved fd that belongs to a different
> thread? It looks like you'll hit the BUG_ON(fdt->fd[fd] != NULL); in
> __fd_install(). So unless you actually track which unused fds you own
> and enforce that the final installation installs in the right slot,
> you have a problem.
>
> BTW, socketpair() isn't the only thing that can add two fds.
> recvmsg() can, too, as can pipe() and pipe2(). Some of the DRM ioctls
> may as well for all I know. But socketpair(), pipe(), and recvmsg()
> can be credibly emulated by adding each fd in sequence and then
> deleting them all of one fails. Sure, this could race against dup2(),
> but I'm not sure we care.
Yup agreed. We need to do the install when the ioctl() is called.
Tycho
next prev parent reply other threads:[~2018-09-21 22:03 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-06 15:28 [PATCH v6 0/5] seccomp trap to userspace Tycho Andersen
2018-09-06 15:28 ` [PATCH v6 1/5] seccomp: add a return code to " Tycho Andersen
2018-09-06 22:15 ` Tyler Hicks
2018-09-07 15:45 ` Tycho Andersen
2018-09-08 20:35 ` Tycho Andersen
2018-09-06 15:28 ` [PATCH v6 2/5] seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE Tycho Andersen
2018-09-11 10:25 ` kbuild test robot
2018-09-06 15:28 ` [PATCH v6 3/5] seccomp: add a way to get a listener fd from ptrace Tycho Andersen
2018-09-06 15:45 ` Jann Horn
2018-09-06 15:50 ` Tycho Andersen
2018-09-13 0:00 ` Andy Lutomirski
2018-09-13 9:24 ` Tycho Andersen
2018-10-17 7:25 ` Michael Tirado
2018-10-17 15:00 ` Tycho Andersen
[not found] ` <CAMkWEXM1c7AGTH=tpgoHtPnFFY-V+05nGOU90Sa1E3EPY9OhKQ@mail.gmail.com>
2018-10-17 18:15 ` Michael Tirado
2018-10-21 16:00 ` Tycho Andersen
2018-10-17 18:31 ` Kees Cook
2018-09-06 15:28 ` [PATCH v6 4/5] seccomp: add support for passing fds via USER_NOTIF Tycho Andersen
2018-09-06 16:15 ` Jann Horn
2018-09-06 16:22 ` Tycho Andersen
2018-09-06 18:30 ` Tycho Andersen
2018-09-10 17:00 ` Jann Horn
2018-09-11 20:29 ` Tycho Andersen
2018-09-12 23:52 ` Andy Lutomirski
2018-09-13 9:25 ` Tycho Andersen
2018-09-13 9:42 ` Aleksa Sarai
2018-09-19 9:55 ` Tycho Andersen
2018-09-19 14:19 ` Andy Lutomirski
2018-09-19 14:38 ` Tycho Andersen
2018-09-19 19:58 ` Andy Lutomirski
2018-09-20 23:42 ` Tycho Andersen
2018-09-21 2:18 ` Andy Lutomirski
2018-09-21 13:39 ` Tycho Andersen
2018-09-21 18:27 ` Andy Lutomirski
2018-09-21 22:03 ` Tycho Andersen [this message]
2018-09-21 20:46 ` Jann Horn
2018-09-25 12:53 ` Tycho Andersen
2018-09-06 15:28 ` [PATCH v6 5/5] samples: add an example of seccomp user trap Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180921220336.GU4672@cisco \
--to=tycho@tycho.ws \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=suda.akihiro@lab.ntt.co.jp \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).