Received: by 10.213.65.68 with SMTP id h4csp1199667imn;
        Sun, 18 Mar 2018 19:15:27 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtXdBw01C+k6VSkigBvZxoiHPDG6Eh6HSHPWcOjLUtbZjJ6YJCRWbPvKVy9qTk+yAYKzIrL
X-Received: by 10.101.98.137 with SMTP id f9mr7737046pgv.6.1521425727467;
        Sun, 18 Mar 2018 19:15:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521425727; cv=none;
        d=google.com; s=arc-20160816;
        b=CK1njKqyuHqTH0PwfT6WmIsWXTvsubFKSSENF03C7XpWicYejVXjrpW9cA6q5+W8OY
         K9hb5QY8y21wKwgMWifHtf4NrJrxKWFwmSVz148ITS/+n2rroPKQAhwO2s5ekt0TH1w6
         1d3Qoojv4bfdFjaZn4azU+qReXvchYoE0lU2+8qrQBTbJIteIOZvvUPZgtrD4qofHIUk
         0aT2A8rBZNzvXbQCWwMfAvmj+NeLiAWms9KET8s91o9xVE98hgoFktTOjqqVCDClJoyF
         YniUx5640rMIJZHG6FmHc4xqZCAIonarz8UTDkh6dVsa4vUJ/R4T+xSnBkb33ifaEVcy
         PF/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dmarc-filter
         :arc-authentication-results;
        bh=WN+rOhoieyz0gH2prfjcQdJvZ8owH455vogyRYcc93Q=;
        b=pi75KKHT14cmckjaKjt+tC+QLhcc74WwE4xE689btTtaF4Aa19crOdX998n6yO49/+
         HmmfyOBP8AHnuw4k2CKg1dqV7xQMNhYo9THypH57ZD5ozPutIsfZvgYf+8gzwMhKP+wg
         Vz5GTUOOa1tyF44rHdI+h8jlBqwWcQO0abkAG1o9Mv8nSEBXbQVAz4EAKFz6fKozcGcg
         mKGHOtkVBagfmHRBBw7dEXHGBLD3C0CAaaqKOoK76AV2JoO1fvY9DVgYD150Vpd36zmy
         8XzOZk802BXHUbGKHWzeisj4A+5A0ZzPJcFEulyuP7HvspNg6HfbkxCAa8le+cn41vT8
         2dTA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b10-v6si3861382pla.260.2018.03.18.19.15.13;
        Sun, 18 Mar 2018 19:15:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755176AbeCSCNv (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Sun, 18 Mar 2018 22:13:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:52154 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755149AbeCSCNr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 18 Mar 2018 22:13:47 -0400
Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 5B0BB21834
        for <linux-kernel@vger.kernel.org>; Mon, 19 Mar 2018 02:13:46 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5B0BB21834
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org
Received: by mail-it0-f47.google.com with SMTP id 19-v6so4112241itw.3
        for <linux-kernel@vger.kernel.org>; Sun, 18 Mar 2018 19:13:46 -0700 (PDT)
X-Gm-Message-State: AElRT7GZnBk6P5eS/Rq3U4TemkfEoMDU0ul0esydbWsxBKVnwtlNKH4P
        d0mBknt1w9A6T5ZlouE7st/V5S/RYfOHagOd/BGFSA==
X-Received: by 2002:a24:818a:: with SMTP id q132-v6mr9611076itd.123.1521425625648;
 Sun, 18 Mar 2018 19:13:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.137.101 with HTTP; Sun, 18 Mar 2018 19:13:25 -0700 (PDT)
In-Reply-To: <20180318064738.GA22649@light.dominikbrodowski.net>
References: <20180313231627.1247-1-hmclauchlan@fb.com> <CALCETrWWAB4FcDe=uUUBiq9YZ-jN1G7kNjdEw=Pwe1SSqyL5LQ@mail.gmail.com>
 <f47e1374-43eb-d7c6-dd0a-5d530ff2b4e2@fb.com> <20180318064738.GA22649@light.dominikbrodowski.net>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Mon, 19 Mar 2018 02:13:25 +0000
X-Gmail-Original-Message-ID: <CALCETrWU4KDu+3U2Z6XpLcV5G9-ihesCdREdaGtO76spuHW-mA@mail.gmail.com>
Message-ID: <CALCETrWU4KDu+3U2Z6XpLcV5G9-ihesCdREdaGtO76spuHW-mA@mail.gmail.com>
Subject: Re: [PATCH] bpf: whitelist syscalls for error injection
To:     Dominik Brodowski <linux@dominikbrodowski.net>
Cc:     Howard McLauchlan <hmclauchlan@fb.com>,
        Andy Lutomirski <luto@kernel.org>,
        Ingo Molnar <mingo@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Thomas Gleixner <tglx@linutronix.de>,
        Yonghong Song <yhs@fb.com>,
        "David S . Miller" <davem@davemloft.net>,
        Thomas Garnier <thgarnie@google.com>,
        kernel-team <kernel-team@fb.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Mar 18, 2018 at 6:47 AM, Dominik Brodowski
<linux@dominikbrodowski.net> wrote:
> On Fri, Mar 16, 2018 at 03:55:04PM -0700, Howard McLauchlan wrote:
>> On 03/13/2018 04:56 PM, Andy Lutomirski wrote:
>> > On Tue, Mar 13, 2018 at 11:16 PM, Howard McLauchlan <hmclauchlan@fb.com> wrote:
>> >> Error injection is a useful mechanism to fail arbitrary kernel
>> >> functions. However, it is often hard to guarantee an error propagates
>> >> appropriately to user space programs. By injecting into syscalls, we can
>> >> return arbitrary values to user space directly; this increases
>> >> flexibility and robustness in testing, allowing us to test user space
>> >> error paths effectively.
>> >
>> > Temporary NAK IMO.  Specifically:
>> >
>> >> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
>> >> index a78186d826d7..e8c6d63ace78 100644
>> >> --- a/include/linux/syscalls.h
>> >> +++ b/include/linux/syscalls.h
>> >> @@ -191,6 +191,8 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
>> >>
>> >>  #define SYSCALL_DEFINE0(sname)                                 \
>> >>         SYSCALL_METADATA(_##sname, 0);                          \
>> >> +       asmlinkage long sys_##sname(void);                      \
>> >> +       ALLOW_ERROR_INJECTION(sys_##sname, ERRNO);              \
>> >
>> > sys_xyz() is not just the syscall itself; it's also a helper that's
>> > used for entirely silly reasons by various bits of kernel code for
>> > quite a few syscalls.  Fortunately, Dominik has patches to fix that,
>> > and Linus is even considering pulling them for 4.16.  This patch will
>> > most likely conflict with the final result of Dominik's series.
>> >
>> > Can you and Dominik coordinate a bit to get this patch or its
>> > equivalent landed on top of Dominik's work?  It might make sense for
>> > Dominik to just add this patch to his series so it can land with the
>> > rest of it.  Dominik, Ingo, what do you think?
>> >
>> > --Andy
>> >
>>
>> Dominik,
>>
>> This patch applies cleanly on top of your patch series. Is there anything you'd need from me to get this in on top of your work?
>
> Howard,
>
> would this form part of the kernel<->userspace interface and therefore needs
> to be kept stable? If so, this patch should wait until the arch-specific
> syscall calling convention is agreed upon.
>
> Moreover, the patches I sent out already do not cover all syscalls yet.
> Until all in-kernel users of sys_*() are gone (or at least outside arch/),
> I'd prefer to postpone this patch.
>

I was assuming that this ALLOW_ERROR_INJECTION thing is *not*
considered stable ABI.  We should be free to change the way that the
syscall entry code calls syscalls whenever we like.

If you want a stable syscall error injection mechanism, make it work
like seccomp instead, please.