Received: by 10.223.185.116 with SMTP id b49csp4481425wrg; Mon, 26 Feb 2018 19:30:17 -0800 (PST) X-Google-Smtp-Source: AH8x22632obBmLc19NQugt4u178x5qzlLwms6ijXqtGjbYhFDd94mowu8XT2QAoZI+9AtmJCrDjl X-Received: by 10.101.92.196 with SMTP id b4mr9990085pgt.27.1519702216895; Mon, 26 Feb 2018 19:30:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519702216; cv=none; d=google.com; s=arc-20160816; b=j34ZuvLJqpNM/XVZq2gYPeVoQ4TWvPj8IpT+70W7B6c6NDTch5TRaa050EPpqc9uYZ KrHOTyNWzZTpRpv1rFzNLqOvtP2W1ik6RHzC6/VrQjwubV+eb88v0c94GK8DimmzjM2s 0au6BziuB+oaK/gz45HtB8j6878qdK/Xnw2SIPMyaPcksON7zXkLzhAhByRKipmr7f1u gTCK3LtzT5AnB16lWfSfYfsZlxc8d5ryKM217GEHuv2B1ReXnVmROBB9QGIWPtHBPb3O J3qBdupokhgGyXAwGK9COUdweOsf9AKpbcOEX9gpQtZgzk0tvOP3gdxD1mNx0Af52Yp2 Z6Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=GVrPYuMC8QJEbixWw2aA4IB+boVg6JWKcceAcYRapQI=; b=YDJbM4H3OB18nj6UJhNkeYNfI11XNi93fmcxNKs9TS6cJc3JvMOdzZh+R/+uFwZPx1 Rx2auwI7V8ho3lkv9K4WRL6tQRop+FoXUzfbrTTsLtgqaS5buZV2SAu9TCYdsETryEpW KYO3Ys0i39LrW3DY7Y2IWZCv2YbrURFkOuBu01YK8GPnsyi4ZbGDWhhBkHdOy/lCp7wx sufeaEmTBolTGaLJtB2UzwE3k8xARU4nMA5weOXQ3RjyEKaBUL9ARM1RmfLMQq2UmmCC b1AGwvvfrT+Ilrmo5FmpVbo3Bv2eBIlC62j94B5kkiV0hLWb6Z9j551y2NU1f8hxBa7M gZ9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=wJYOut85; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k1si7884076pfg.38.2018.02.26.19.29.47; Mon, 26 Feb 2018 19:30:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=wJYOut85; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751752AbeB0D14 (ORCPT + 99 others); Mon, 26 Feb 2018 22:27:56 -0500 Received: from mail-pl0-f51.google.com ([209.85.160.51]:39624 "EHLO mail-pl0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751586AbeB0D1z (ORCPT ); Mon, 26 Feb 2018 22:27:55 -0500 Received: by mail-pl0-f51.google.com with SMTP id s13so10589278plq.6 for ; Mon, 26 Feb 2018 19:27:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GVrPYuMC8QJEbixWw2aA4IB+boVg6JWKcceAcYRapQI=; b=wJYOut85yFhiX4pku8iR/wASDOSKpFGt6KxZ+w3CNVaU0+gU7Bn7mtvyXAflH3GDt9 GJBMBJ5TJvZJKjJekMUeqG/p3MvqN5flrL/F/NThv7MTAjGmLseFEVR87v9M8+s5aFpl 8+uBj/V6HOTAMK546InBFjGE70j9bsO4GgbHb/rXUJ/2u7ZC3zI/5L036PdrKMypG6L7 pywMXhGdJFGkWinvqZFhfH9d2/nBuw3Yh57mo91Out51dSjiYuYC3IZ14UPw9yVlTj9A lfJZBL45oFkUzR1Z6cT1tIKs4pEH+SXo0FJ/auT2PdhL9ttwSHauIgVbgOOPprwxWHQo x23g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GVrPYuMC8QJEbixWw2aA4IB+boVg6JWKcceAcYRapQI=; b=MTkfygyMusru35C8nQ2XtOqD3YSbMXvGh/lAYnXsLDFlC5IibYuDSOJb64OLNahDs7 Q8++39+ARsSQ+35Q2cK8nvcqjHKRAKcC7Cf5JMMK5Ddbi+xTZfnEQbMob5Qt93mEFLHC DxJjdqDE9LJTqg0ggYWvbZhDQBSE4jVwf7DVJ5l8NzWCeo8+Gjyd0ul5VG4n5URcqNCi mcTt5RPT7RmUzOlBg9ewwAdBAnuzBKxjRGj0zTwwGfGBWDkecMPG1W5UceVAvHmKCyHI 1A/HydIfdnhT3AkhorIR5g6pbXPe91t564qJ2B9rXUkeQovo984KBNhg4UIhhLUX2xNK Na2w== X-Gm-Message-State: APf1xPBAFOHFElGu8vU9LBJ1oXhyN+yTzqr2eqPMIyLHWQDU2fjyLuzD pBGVO/lWtn1I5WUgoFc7MONRzQ== X-Received: by 2002:a17:902:5716:: with SMTP id k22-v6mr13016325pli.229.1519702074535; Mon, 26 Feb 2018 19:27:54 -0800 (PST) Received: from ?IPv6:2600:1010:b019:8e6d:3995:b48a:80db:4dd9? ([2600:1010:b019:8e6d:3995:b48a:80db:4dd9]) by smtp.gmail.com with ESMTPSA id x4sm7393013pgv.72.2018.02.26.19.27.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2018 19:27:53 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [RFC 1/3] seccomp: add a return code to trap to userspace From: Andy Lutomirski X-Mailer: iPhone Mail (15D60) In-Reply-To: Date: Mon, 26 Feb 2018 19:27:51 -0800 Cc: Tycho Andersen , LKML , Linux Containers , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Tom Hromatka , Sargun Dhillon , Paul Moore , ast@kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <6314EDD9-2B0F-454C-9B99-E57694DC7AE1@amacapital.net> References: <20180204104946.25559-1-tycho@tycho.ws> <20180204104946.25559-2-tycho@tycho.ws> <20180214152958.cjgwh2k52zji2jxk@cisco> To: Kees Cook Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Feb 26, 2018, at 4:49 PM, Kees Cook wrote: >=20 >> On Wed, Feb 14, 2018 at 9:19 AM, Andy Lutomirski wr= ote: >>> On Wed, Feb 14, 2018 at 3:29 PM, Tycho Andersen wrote: >>>> On Tue, Feb 13, 2018 at 01:09:20PM -0800, Kees Cook wrote: >>>> On Sun, Feb 4, 2018 at 2:49 AM, Tycho Andersen wrote: >>>> I wonder if this communication should be netlink, which gives a more >>>> well-structured way to describe what's on the wire? The reason I ask >>>> is because if we ever change the seccomp_data structure, we'll now >>>> have two places where we need to deal with it (the first being within >>>> the BPF itself). My initial idea was to prefix the communication with >>>> a size field, then send the structure, and then I had nightmares, and >>>> realized this was basically netlink reinvented. >>>=20 >>> I suggested netlink in LA, and everyone (especially Andy) groaned very >>> loudly :). I'm happy to switch it to netlink if you like, although i >>> think memcpy() of structs should be safe here, since the return value >>> from read or write can indicate the size of things. >>=20 >> I could easily get on board with "netlink" (i.e. NLA) messages sent >> over an fd. I will object strongly to the use of netlink *sockets*. >=20 > Yeah, I was thinking NLA over the fd; not a netlink socket. >=20 >>>> An ERRNO filter would block a USER_NOTIF because it's unconditional. >>>> TRACE could be either, USER_NOTIF could be either. >>>>=20 >>>> This means TRACE rules would be bumped by a USER_NOTIF... hmm. >>>=20 >>> Yes, I didn't exactly know what to do here. ERRNO, TRAP, and KILL all >>> seemed more important than USER_NOTIF, but TRACE didn't. I don't have >>> a strong opinion about what to do here, because users can adjust their >>> filters accordingly. Let me know what you prefer. >>=20 >> If we switched to eBPF functions, this whole issue goes away. >=20 > Yeah, though we'd still need some kind of "wait for answer" eBPF > function. It feels wrong to re-use maps for that... >=20 BPF_CALL. Alexei, can we make it so that each bpf program type can easily limit which B= PF_CALL helpers can be use and allow bpf program types to add their own help= ers?c=