Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp184057imm; Thu, 21 Jun 2018 16:23:03 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIKEPb8hxMJtMh1a2hqe0X2hST9RlajylGaYbY1S5ayd+ndUQ3ZITUFuh8Uc5QqhnLRhM/V X-Received: by 2002:a63:ba18:: with SMTP id k24-v6mr7198179pgf.145.1529623382999; Thu, 21 Jun 2018 16:23:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529623382; cv=none; d=google.com; s=arc-20160816; b=q7x+MICuehUNy5vaQ0jCcXXmdFAvNRrPsAcEldG9RB3i65iCfQZr2LsHZ95wafSVmE aRLSiwspFLuIiO00chiCpAWpM6YaN4KdJmGujiqFAZjVCRRC3xGx2yTJXnyVo1cT9b8l +urdZQpFAPOE//Odd1o5kWJ9lpkr3vJvO9ue0nYi4aC+isTr/wLj1gL5mREke5Iw+IlE 5nj5jWfFA8ANMVGujREYbqfSIhYy0cF7t5evYrFllSNER4ijmd+ahyNTLIuYYltMVYAd QDVkZu6QeZjL5vpiT9xaKvzmtCORdzQCHYYdjoo9TG7K522QaYvuWpilq1RaTw0RHg7l Y46Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=kjossdpWt5D8KmkT2UMhykghlkFaPMSI50b15aLByC0=; b=hzUVpCjxFRfEPywhSGkUCP+HimeE/Sg5Vf+i9zH217lAxe9FZDEgElKDgqYCsR6W6Q GucH+6Wd7kM3YEZam6szKMkD6fAJivdemzq/j0hNhE9MeLO3VoyZbba4WWFr2LIPpT84 vNZdswFPzizLwiChMyJsQzBeJ9/Wasg5k3XtH9YcMkRVcxd6p59XWyFTrQoKQHAVCG6Z I/okOHXdqBHRD6XsXhBQ+vT9qrQVK0iFiwUoepD4yqdZLo1aKI6bMlc7CXY8HYzEF6ER taeXdAOPFoT2aSXExz550lmmu3Dfg7lZQ+xwsHNlA7RfQy4oQk+wIi+CeBpDSlu0WHv6 cz5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=a46q2rFw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o11-v6si4807999pgp.586.2018.06.21.16.22.48; Thu, 21 Jun 2018 16:23:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=a46q2rFw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933127AbeFUXWB (ORCPT + 99 others); Thu, 21 Jun 2018 19:22:01 -0400 Received: from mail-ot0-f194.google.com ([74.125.82.194]:34420 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932170AbeFUXV7 (ORCPT ); Thu, 21 Jun 2018 19:21:59 -0400 Received: by mail-ot0-f194.google.com with SMTP id r18-v6so5526730otk.1 for ; Thu, 21 Jun 2018 16:21:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kjossdpWt5D8KmkT2UMhykghlkFaPMSI50b15aLByC0=; b=a46q2rFwkUlsdmHRiRm+Uv/++8dsu5i79t9zM3QuhgAHrUplAEEAn7i1MZdiItRH/K 5Cyw9oXbc4MmUiRYRiONOwvEij5OVWURV+igQO6QD2Jf6OuTf4v+jmu5bZivbdcNSORq K5suLYcAyKbZL9mFqeLhbZYzUQQQgxeVOTmI/2z95WWW7OGkl/JYty6Tf4MUkJQAwjgA kQ/3vY3oSXAJMeJEFxxpe4TZmi5cGkFVlwqncYsGGcmbw138S0bPOqPWstMDUMnxVhuC VJNkd7+wmp8bX27Pn/cq8tFOJXPy2ljJUbA2+DUZeKt0svkRn1PNgX/19tZ3PVAz5UNy 9w7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kjossdpWt5D8KmkT2UMhykghlkFaPMSI50b15aLByC0=; b=ljNMNwJt/JEJSNrVVVLi7AMI/Umf68sAN1K63b56zp2AvG9VJjOAtO2rrpH4Tpo3jf XJoMN4CP6nYwa4448+ykf+bmTQeelVdTeM2Sd9KvUPPlD8h465yzj46ABtLWjKbyN2Ey 8Db9tJkEXyKuRzq6L+KfdSgzq4wlAmcOGiI6ONjBq98UXtQs/RcrPb77+FND6fAJo5os 8X4hCfL36ZMK797TEn2g78C8Vp0PSuI7t9mE09ieJ1grVTLUvx4YK/X5Pclc6UiRdknd 1yvAWfDDp/qyf8mQBL/Qt5fT4RTFNEydeH8XxHujNIC4AS+GrRLhIiVVSt5rByi1+Uqk +6gQ== X-Gm-Message-State: APt69E2ZG9518IvjaolPoMrYlBdxDp56dFeIshiPQsM/yC+p+FKWjP7u 0ekQ7MFF3D4x9Urg0rAzKyiEJhpBUK/5Wk7XHHbZLQ== X-Received: by 2002:a9d:8ac:: with SMTP id 41-v6mr17833698otf.115.1529623318412; Thu, 21 Jun 2018 16:21:58 -0700 (PDT) MIME-Version: 1.0 References: <20180621220416.5412-1-tycho@tycho.ws> <20180621220416.5412-2-tycho@tycho.ws> In-Reply-To: <20180621220416.5412-2-tycho@tycho.ws> From: Jann Horn Date: Fri, 22 Jun 2018 01:21:47 +0200 Message-ID: Subject: Re: [PATCH v4 1/4] seccomp: add a return code to trap to userspace To: Tycho Andersen Cc: Kees Cook , kernel list , containers@lists.linux-foundation.org, Linux API , Andy Lutomirski , Oleg Nesterov , "Eric W. Biederman" , "Serge E. Hallyn" , Christian Brauner , Tyler Hicks , suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen wrote: > > This patch introduces a means for syscalls matched in seccomp to notify > some other task that a particular filter has been triggered. [...] > +Userspace Notification > +====================== > + > +The ``SECCOMP_RET_USER_NOTIF`` return code lets seccomp filters pass a > +particular syscall to userspace to be handled. This may be useful for > +applications like container managers, which whish to intercept particular typo: "wish" [...] > +passed around via ``SCM_RIGHTS`` or similar. Alternativley, a filter fd can be typo: "Alternatively" [...] > +It is worth noting that ``struct seccomp_data`` contains the values of register > +arguments to the syscall, but does not contain pointers to memory. The task's > +memory is accessiable to suitably privileged traces via via ``ptrace()`` or Typo: "accessible" [...] > + > +static void seccomp_do_user_notification(int this_syscall, > + struct seccomp_filter *match, > + const struct seccomp_data *sd) > +{ > + int err; > + long ret = 0; > + struct seccomp_knotif n = {}; > + > + mutex_lock(&match->notify_lock); > + err = -ENOSYS; > + if (!match->has_listener) > + goto out; > + > + n.pid = task_pid(current); > + n.state = SECCOMP_NOTIFY_INIT; > + n.data = sd; > + n.id = seccomp_next_notify_id(match); > + init_completion(&n.ready); > + > + list_add(&n.list, &match->notifications); > + wake_up_poll(&match->wqh, EPOLLIN | EPOLLRDNORM); > + > + mutex_unlock(&match->notify_lock); > + up(&match->request); > + > + err = wait_for_completion_interruptible(&n.ready); > + mutex_lock(&match->notify_lock); > + > + /* > + * Here it's possible we got a signal and then had to wait on the mutex > + * while the reply was sent, so let's be sure there wasn't a response > + * in the meantime. > + */ > + if (err < 0 && n.state != SECCOMP_NOTIFY_REPLIED) { > + /* > + * We got a signal. Let's tell userspace about it (potentially > + * again, if we had already notified them about the first one). > + */ > + if (n.state == SECCOMP_NOTIFY_SENT) { > + n.state = SECCOMP_NOTIFY_INIT; > + up(&match->request); > + } > + mutex_unlock(&match->notify_lock); > + err = wait_for_completion_killable(&n.ready); Does this mean that when you get a signal that isn't SIGKILL, wait_for_completion_interruptible() will bail out with -ERESTARTSYS, but then you hang on this wait_for_completion_killable()? I don't understand what's going on here. What's the point of using wait_for_completion_interruptible() when you'll just hang on another wait on the same "struct completion"? > + mutex_lock(&match->notify_lock); > + if (err < 0) > + goto remove_list; > + } > + > + ret = n.val; > + err = n.error; > + > +remove_list: > + list_del(&n.list); > +out: > + mutex_unlock(&match->notify_lock); > + syscall_set_return_value(current, task_pt_regs(current), > + err, ret); > +}