Received: by 10.223.185.116 with SMTP id b49csp4376350wrg; Mon, 26 Feb 2018 16:50:26 -0800 (PST) X-Google-Smtp-Source: AH8x224mzWtSGZPYrveAc+W93jhUlXkNN+vQiiwmcdoeverGdnMqOHbE5ui67aNuUHmWHX98xugt X-Received: by 2002:a17:902:c6b:: with SMTP id 98-v6mr12102267pls.267.1519692626557; Mon, 26 Feb 2018 16:50:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519692626; cv=none; d=google.com; s=arc-20160816; b=0hX30PwrKLRQSi4x+JM8WSKGfaKxaDBNEGBx2BSgr3GhaqmtU9NNkA8p2BczWwIRyK USWddCUFT+3ChcntsXB3B2i94xkmFZzuGxDIOhqC5msOCmP98jDwE4Tuotgdp+W+uOpm uOG+FRmmM6Jtur2dhtk4nEIx7dBjw0VzunG1e47aXFVxmZYozCya4+uuQqqWhjf9ZsWv LoOi7ldqvANW3iBSPY50YhnipNvcQCHzFg6/TUVNql0pR1rfiu2n9jfYAKVDUzfYLqfa 3QWal5oImC8rjVKHb/9Dm+0kvxl471mV6OLrJrip6XdOStXuJgq9k6xxqA8JrL0ln7Hs 3iKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=/kDo2O+Aggzlv/KOb8g7KB9Q9mFbUOMhtkFGjmmUdEc=; b=KM/qsaN/bw68KmIrWYYVONEIlUQCJC642pcfrtOxeYaRF68QSALAGxwE4zyWHbJmzi nKgxw/pN3CsCcTfDpNTvDAoTJM/oW8snYKV5iIrKt3rwTeXyTDXmw2s5AJ+snjF1F6Gw WiccSxN1HsbnwtW4Potj8ZZIqMDLL4ikWoyA7j5bIfhFSPXSJkMsyJl+EBxzLOCZb0cF 2/c6z+GKlBieqKbKn7OsY8lgABr77kNhy0N936j6xJ3JD/I+quDAV4aikoIRn88ZAbpT a5JZDv40H7QOuwULx+J0QSBCR/RuXf1amMOgginR2+0S85GJEjFAva90Z3r9Q6esx+5u TIfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=l/H7gSTr; dkim=fail header.i=@chromium.org header.s=google header.b=DMZrRIoh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h1-v6si7539668pld.16.2018.02.26.16.50.12; Mon, 26 Feb 2018 16:50:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=l/H7gSTr; dkim=fail header.i=@chromium.org header.s=google header.b=DMZrRIoh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751510AbeB0Ate (ORCPT + 99 others); Mon, 26 Feb 2018 19:49:34 -0500 Received: from mail-vk0-f43.google.com ([209.85.213.43]:45081 "EHLO mail-vk0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751610AbeB0At0 (ORCPT ); Mon, 26 Feb 2018 19:49:26 -0500 Received: by mail-vk0-f43.google.com with SMTP id k187so11142922vke.12 for ; Mon, 26 Feb 2018 16:49:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=/kDo2O+Aggzlv/KOb8g7KB9Q9mFbUOMhtkFGjmmUdEc=; b=l/H7gSTrC0z/09vNHqzpi4wpCy2qCwrmom3Tk5OkWJu7Qqmn6YNT8T+nR9beFtPMTi YG3bvkhlJMvW1r7VEpwwsp19kQdXx7nzvd/AIzz8VAiuZG24if/bXiDSsk0BNknDUKQ6 6rs5o6M0vnQPLSzeaDyby6kIQPwLkgjWYNHz6d4fQtjDQapw9tW7YOGy+WocYMCzOCkr 4I0i/9M+j3zPRzYjjsbpRtSyZwVKLip82r+52f79O1Xst7EU84ydE347eQFSBvpL9S4t 9oAJFmlbSoOk0MMw9u7Ftm85LYktUsztPUxtnlgWti0A/xuGxgKQQNVA8FpSaje6oiN/ gxDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=/kDo2O+Aggzlv/KOb8g7KB9Q9mFbUOMhtkFGjmmUdEc=; b=DMZrRIohljwc3NVXxymrZVuSVJ89ipSCYCnJmPurZ8V8SPo6D81csysG8qWqsEjO97 ghvS6UkBw6HE5jDtSfHNBjjCoJzh5Yyc3fWiYK6/dYheXmUSg0MoS8E2C6RcPpEMGE05 NkuYj2iInp5LMRQnuSjASulqjCvfgvtWbS3Rg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=/kDo2O+Aggzlv/KOb8g7KB9Q9mFbUOMhtkFGjmmUdEc=; b=B54slKsTJn0wh26hMrFL6g2PIrJ0bl7TOb+LO8WFsYVCPIbZ5fbZMVHnue46nihgAs xgbEzkP1p+PF4kfJrQ7PNITWc/I1z8BFvrFK6gufBfnb2oZZsZtrrsN/XMSWLkiBfFAN MQVMLs52z1sMQ6LmFXY9iU1mru2qZNngDwa1RTtKCq3RL0f44RbQ7YrDmrZfiOmilRrx T4UnlItpknrd4giomcL/CgmffShLJEkjeooLAmdXPv3M6nEAAyZ6rRa8wX0ESh45VMtS zO+T+LBsAsxtvb5dMYgvCGcm28LgcJFZP/etit3u1f388NEQR0IdygdN3qEINWt8IYnx be6g== X-Gm-Message-State: APf1xPAmw4k9vghud9XsS1u1yArzpBHBolHPAWdcf8g3B8qSfarFDsZ9 S2/kDFvbD7Z7Oj7ZwQbX86r0ECongzWpj0OKeEZdTsM7 X-Received: by 10.31.196.131 with SMTP id u125mr9186861vkf.158.1519692562923; Mon, 26 Feb 2018 16:49:22 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Mon, 26 Feb 2018 16:49:21 -0800 (PST) In-Reply-To: References: <20180204104946.25559-1-tycho@tycho.ws> <20180204104946.25559-2-tycho@tycho.ws> <20180214152958.cjgwh2k52zji2jxk@cisco> From: Kees Cook Date: Mon, 26 Feb 2018 16:49:21 -0800 X-Google-Sender-Auth: wgPSZq4vC2fSPk2M7Bb26eObKY8 Message-ID: Subject: Re: [RFC 1/3] seccomp: add a return code to trap to userspace To: Andy Lutomirski Cc: Tycho Andersen , LKML , Linux Containers , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Tom Hromatka , Sargun Dhillon , Paul Moore Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 14, 2018 at 9:19 AM, Andy Lutomirski wrote: > On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: >> On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: >>> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: >>> I wonder if this communication should be netlink, which gives a more >>> well-structured way to describe what's on the wire? The reason I ask >>> is because if we ever change the seccomp_data structure, we'll now >>> have two places where we need to deal with it (the first being within >>> the BPF itself). My initial idea was to prefix the communication with >>> a size field, then send the structure, and then I had nightmares, and >>> realized this was basically netlink reinvented. >> >> I suggested netlink in LA, and everyone (especially Andy) groaned very >> loudly :). I'm happy to switch it to netlink if you like, although i >> think memcpy() of structs should be safe here, since the return value >> from read or write can indicate the size of things. > > I could easily get on board with "netlink" (i.e. NLA) messages sent > over an fd. I will object strongly to the use of netlink *sockets*. Yeah, I was thinking NLA over the fd; not a netlink socket. >>> An ERRNO filter would block a USER_NOTIF because it's unconditional. >>> TRACE could be either, USER_NOTIF could be either. >>> >>> This means TRACE rules would be bumped by a USER_NOTIF... hmm. >> >> Yes, I didn't exactly know what to do here. ERRNO, TRAP, and KILL all >> seemed more important than USER_NOTIF, but TRACE didn't. I don't have >> a strong opinion about what to do here, because users can adjust their >> filters accordingly. Let me know what you prefer. > > If we switched to eBPF functions, this whole issue goes away. Yeah, though we'd still need some kind of "wait for answer" eBPF function. It feels wrong to re-use maps for that... -Kees -- Kees Cook Pixel Security