Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1884236imm;
        Sat, 2 Jun 2018 11:19:10 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKfkdUjb7m2m69i4TTYpOG9PLWoxpCGpgNFgQDOg+fOr7qBa0LRn4od80mhWKC5kh3sl3T+
X-Received: by 2002:a63:a557:: with SMTP id r23-v6mr12516126pgu.336.1527963550415;
        Sat, 02 Jun 2018 11:19:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527963550; cv=none;
        d=google.com; s=arc-20160816;
        b=Ee+P5AaDld6pkiqGifLM8H7SA3aEBd6e+lMTGNVzw4v/iUpGzDFmP+CZ+JcWKl51FP
         ZhGgfV5kNAjsWnqhzPhi7k7CQvvfik9MKxLRNrGSAKrEvSFiYOAFsqF1cRQd8lAIzunQ
         S5BSkmjmjWIg+e66FrdiLFHwULfD8WcAL50dP0pciRQCWAM/nLV58iWMHDZH7h6bnynM
         N1HUqz+nump9G/TeggQEhC5EfRqSJ1+UuM2ILRyLbEsSsBUSxBLAKZ2m7jDXqsD2AKSG
         8+z7B6LWvpHYKMQ+jpl0iBKlYjbKKAwmDz7PcRJMohm8owjVu9zfncgZUTx2ItKS0syH
         OPBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=1C2RguKo3hUMhJogrz+LYukfESkHKpdNy7uc60aLlaM=;
        b=q+ivMEngVAeiESH9ANs2PQh3f/hGn97JdiXi2RIcEefYvcDZfCTIFKmCwxgCRbDNe/
         3LLsTWD9KX7zefYhZLAD48oizulbZOuNyt8k4KlzEQL1vgkU+7ND0bcc+hPfXi+EG0Qb
         HmMCWMBlrVMvE2K+QtOP+w8ATtFwlRqKsTt6DBFNYqyUZxJdpJb6HXsZ4tHc+bzOA+xO
         m5B92rthmnXXpHgvCrvjshXG4MEjJLUwlwN2Z1SXIG5Y26iBAKBmYR93blCGZH3uebyF
         /qlx2oDdr2QM/LorR6q7Jx6sT6+O/+t+cu8vZ7DYUw0sDIi6qhYOJTT7XM5Bwz2IdqvX
         NHwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=BgijrXia;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t123-v6si3646352pfd.13.2018.06.02.11.18.55;
        Sat, 02 Jun 2018 11:19:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=BgijrXia;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751915AbeFBSS2 (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Sat, 2 Jun 2018 14:18:28 -0400
Received: from mail-ot0-f194.google.com ([74.125.82.194]:32985 "EHLO
        mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751837AbeFBSS1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 2 Jun 2018 14:18:27 -0400
Received: by mail-ot0-f194.google.com with SMTP id h6-v6so13923545otj.0
        for <linux-kernel@vger.kernel.org>; Sat, 02 Jun 2018 11:18:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=1C2RguKo3hUMhJogrz+LYukfESkHKpdNy7uc60aLlaM=;
        b=BgijrXiaizMVOtYnnQNahYVb6+c/0fY7ArylCaPUsx5fECaPhQSaqC8Obnqn0409O8
         +TMB9Ye9R+s/9axQX3zNcOvzSBxw2pScuOZCBYoiLiAXG2OItRc5AxqR+LXU8MR2FZtU
         4f2QdfmXCgPbk4MS5N26RQbESP2ZaDJXOEeMDgl9DIUDnjZJ3RRxt87SgksXvdHxzaCA
         tG5u3ZJsZ86n4UkH3JNg7Pz6KGMFZLDHIw11rGqv89yLtVnUy/DrvWY4qVgEhtzr6oVP
         J1O5dMADZst554EzOE01mrM0w85jVWHTSNwOIweSON5XAQs+CVzn8oRsIL6sZ19O5vad
         mVug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=1C2RguKo3hUMhJogrz+LYukfESkHKpdNy7uc60aLlaM=;
        b=iyE1qQpRjeHiwjEw0fXt1m33bpEwiK3jfAppK25DSXQXXFT1SCNr8vudZ5NWOVNckg
         4q2RCgVH4JoTMBUFMjvZDGESM17F+xFLWlcChOjJXzoIMQakCYwIvf+p/EuJBD0XuuNL
         Mi5AvW20oKMad+DsYZ2p6vPe3sN+YJnym66e/UVFr77b0bYnok5zls22WFuc29p3SODe
         1zwF0fQ2gbcbo/vLFz/odFmVLwLzgZm2hfb8Ql0VHZCJOe1LMgxtOrc3iOb2V8rxJpPE
         QvclFZPHRTpJkmooBDJyTCBDPrUbHtDyS8bLxcRWeJrScpvCZnOmhZLuz53kewxscLmp
         H3Sw==
X-Gm-Message-State: APt69E1AU0dnuBcYdJYiZwiLecm5MP+ngvStBuFuXYibm8ukcUfreRa5
        3Hu7Pxl6PJTewdaQYkb4/D5mRw==
X-Received: by 2002:a9d:70d6:: with SMTP id w22-v6mr4633096otj.375.1527963506417;
        Sat, 02 Jun 2018 11:18:26 -0700 (PDT)
Received: from cisco ([8.24.24.129])
        by smtp.gmail.com with ESMTPSA id p44-v6sm8483113ota.19.2018.06.02.11.18.23
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 02 Jun 2018 11:18:24 -0700 (PDT)
Date:   Sat, 2 Jun 2018 12:18:23 -0600
From:   Tycho Andersen <tycho@tycho.ws>
To:     Jann Horn <jannh@google.com>
Cc:     kernel list <linux-kernel@vger.kernel.org>,
        containers@lists.linux-foundation.org,
        Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Oleg Nesterov <oleg@redhat.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, christian.brauner@ubuntu.com,
        Tyler Hicks <tyhicks@canonical.com>,
        suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" <me@tobin.cc>
Subject: Re: [PATCH v3 4/4] seccomp: add support for passing fds via
 USER_NOTIF
Message-ID: <20180602181823.GC15998@cisco>
References: <20180531144949.24995-1-tycho@tycho.ws>
 <20180531144949.24995-5-tycho@tycho.ws>
 <CAG48ez1WQ5FQXz8=NZ=ahAvte8FK8nSsnMeknMC1wQ=PWKE3dw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAG48ez1WQ5FQXz8=NZ=ahAvte8FK8nSsnMeknMC1wQ=PWKE3dw@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Jann,

Thanks for taking a look!

On Sat, Jun 02, 2018 at 03:13:39PM +0200, Jann Horn wrote:
> On Sat, Jun 2, 2018 at 2:58 PM Tycho Andersen <tycho@tycho.ws> wrote:
> > The idea here is that the userspace handler should be able to pass an fd
> > back to the trapped task, for example so it can be returned from socket().
> >
> > I've proposed one API here, but I'm open to other options. In particular,
> > this only lets you return an fd from a syscall, which may not be enough in
> > all cases. For example, if an fd is written to an output parameter instead
> > of returned, the current API can't handle this. Another case is that
> > netlink takes as input fds sometimes (IFLA_NET_NS_FD, e.g.). If netlink
> > ever decides to install an fd and output it, we wouldn't be able to handle
> > this either.
> >
> > Still, the vast majority of interesting cases are covered by this API, so
> > perhaps it is Enough.
> >
> > I've left it as a separate commit for two reasons:
> >   * It illustrates the way in which we would grow struct seccomp_notif and
> >     struct seccomp_notif_resp without using netlink
> >   * It shows just how little code is needed to accomplish this :)
> [...]
> > +               fd = get_unused_fd_flags(n.flags);
> 
> Here, you're using n.flags in a context where it will be tested
> against O_CLOEXEC to determine whether the new fd should be
> close-on-exec.
> 
> [...]
> > +               /*
> > +                * This is a little hokey: we need a real fget() (i.e. not
> > +                * __fget_light(), which is what fdget does), but we also need
> > +                * the flags from strcut fd. So, we get it, put it, and get it
> > +                * again for real.
> > +                */
> > +               fd = fdget(resp.fd);
> > +               knotif->flags = fd.flags;
> > +               fdput(fd);
> > +
> > +               knotif->file = fget(resp.fd);
> > +               if (!knotif->file) {
> > +                       ret = -EBADF;
> > +                       goto out;
> > +               }
> 
> But here fd.flags contains the low 2 bits of the return value of
> __fget_light, which are either 0 or FDPUT_FPUT (encoded as 1). This
> flag states whether fdget() took a reference on the file, which is
> mostly equivalent to "is the current process multithreaded?". (This is
> the reason why fdget returns flags and fget doesn't - the flag from
> fdget is to decide whether you'll need an fput(), which is
> unconditional for fget().)

Oof, yes.

> Apart from this issue, I think that in general, it's probably not a
> good idea to copy the close-on-exec flag from the fd in the
> supervising process - the supervising process might want all the fds
> it is working with to be O_CLOEXEC independent of whether the
> supervised process wants an O_CLOEXEC fd. It might make sense to add a
> field for this to struct seccomp_notif_resp instead.

Yes, I wondered about this. In particular, maybe it just makes sense
to pass back the exact flags that the FD should be opened with too, so
if in the future there's some other flag we might want to twiddle, we
don't need another patch. I'll make the change for v4.

Thanks!

Tycho