From: Sargun Dhillon <firstname.lastname@example.org> To: Jann Horn <email@example.com> Cc: Kees Cook <firstname.lastname@example.org>, kernel list <email@example.com>, Tycho Andersen <firstname.lastname@example.org>, Aleksa Sarai <email@example.com>, Christian Brauner <firstname.lastname@example.org>, Linux Containers <email@example.com>, Linux API <firstname.lastname@example.org> Subject: Re: [RFC PATCH] seccomp: Add extensibility mechanism to read notifications Date: Tue, 16 Jun 2020 05:12:19 +0000 [thread overview] Message-ID: <20200616051218.GA16032@ircssh-2.c.rugged-nimbus-611.internal> (raw) In-Reply-To: <CAG48ez2ZyYkHhbuwLYehR5fx2_d9yoVg4tBmyqvVqpy-oZ-0cA@mail.gmail.com> On Mon, Jun 15, 2020 at 11:36:22AM +0200, Jann Horn wrote: > On Sat, Jun 13, 2020 at 9:26 AM Sargun Dhillon <email@example.com> wrote: > > This introduces an extensibility mechanism to receive seccomp > > notifications. It uses read(2), as opposed to using an ioctl. The listener > > must be first configured to write the notification via the > > SECCOMP_IOCTL_NOTIF_CONFIG ioctl with the fields that the user is > > interested in. > > > > This is different than the old SECCOMP_IOCTL_NOTIF_RECV method as it allows > > for more flexibility. It allows the user to opt into certain fields, and > > not others. This is nice for users who want to opt into some fields like > > thread group leader. In the future, this mechanism can be used to expose > > file descriptors to users, > > Please don't touch the caller's file descriptor table from read/write > handlers, only from ioctl handlers. A process should always be able to > read from files supplied by an untrusted user without having to worry > about new entries mysteriously popping up in its fd table. > Acknowledged. Is something like: ioctl(listener, SECCOMP_GET_MEMORY, notification_id); reasonable in your opinion? > > such as a representation of the process's > > memory. It also has good forwards and backwards compatibility guarantees. > > Users with programs compiled against newer headers will work fine on older > > kernels as long as they don't opt into any sizes, or optional fields that > > are only available on newer kernels. > > > > The ioctl method relies on an extensible struct. This extensible struct > > is slightly misleading as the ioctl number changes when we extend it. > > This breaks backwards compatibility with older kernels even if we're not > > asking for any fields that we do not need. In order to deal with this, the > > ioctl number would need to be dynamic, or the user would need to pass the > > size they're expecting, and we would need to implemented "extended syscall" > > semantics in ioctl. This potentially causes issue to future work of > > kernel-assisted copying for ioctl user buffers. > > I don't see the issue. Can't you replace "switch (cmd)" with "switch > (cmd & ~IOCSIZE_MASK)" and then check the size separately? It depends: 1. If we rely purely on definitions in ioctl.h, and the user they've pulled in a newer header file, on an older kernel, it will fail. This is because the size is bigger, and we don't actually know if they're interested in those new values 2. We can define new seccomp IOCTL versions, and expose these to the user. This has some niceness to it, in that there's a simple backwards compatibiity story. This is a little unorthodox though. 3. We do something like embed the version / size that someone is interested in in the struct, and the ioctl reads it in order to determine which version of the fields to populate. This is effectively what the read approach does with more steps. There's no reason we can't do #3. Just a complexity tradeoff.
next prev parent reply other threads:[~2020-06-16 5:12 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-06-13 7:26 Sargun Dhillon 2020-06-15 9:36 ` Jann Horn 2020-06-16 5:12 ` Sargun Dhillon [this message] 2020-06-15 13:44 ` Tycho Andersen 2020-06-15 18:26 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200616051218.GA16032@ircssh-2.c.rugged-nimbus-611.internal \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: [RFC PATCH] seccomp: Add extensibility mechanism to read notifications' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).