Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp193498imm;
        Thu, 21 Jun 2018 16:36:01 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJZmEtpvWxikLZmMr1C8JQ8VxNnioSr3EBWdV1o764JSBk+Nv45+De6MTaGxc0CkPGBf/tJ
X-Received: by 2002:a62:48cd:: with SMTP id q74-v6mr28764847pfi.153.1529624161006;
        Thu, 21 Jun 2018 16:36:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529624160; cv=none;
        d=google.com; s=arc-20160816;
        b=VAZuqbr+CHhGg9LGgQDNKVGvqrWhKTkCpqBehckdtd0tzFmmku9Wdumb2u5CuB6Awq
         2YHSGmd9vN8ShsPz/nwUKDbJ5khmtBm0B0cjv/VV8xgZ19ick8t/PDLq4G6+whMfw4Od
         7QRwE8LGYqIkCzL3NgrUoJW5fCzJN3dck8X/BNdcDs9XuR7LqQWLn0j7bvcjHbUGV2P+
         DVDrtiYpcZ4C8yUbTSEXt84aR6GQn95hVUgc5qF4jIRI5IrMUfhR/7tOpegy4FiTbGwF
         at9mJEHMwZGUQW9weQOZjGLbf2vtIgXfmS6aYKgabRAPUhwfvv8RYUSXCj5kRensnSCk
         heDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=0oBq3QGclfaOlKxFfvw2X1QxVWGTvFKxFI+SyLJsL78=;
        b=iON/wkToyGmTVhqqvNBKqZn38c7wsgGNkJJdJefHuEPIcF/Yp5e8w6nyv56Xiyj/W/
         pzL3cfMj8Je+bfslbnw3Zrb4lqJGAEP1JtFv4EqtjAKxbUWtq+zDXc2/VWTxyxRuWwsM
         glSa2s/6eyZaoO53FeveuKhMmUdnf+f6MmZS/vAoA67EWx+kJ1CEA5xoRELSe8MUpds2
         rl80gOaMjpO+ljnNl24I/5rtvWccpXc6lXHYTJm58Jw8K1fqN6MZbWiniyznwbd8dWOb
         aLwY9LJmybKSbTVoqU2VBSPPPWVg3dQFQ7GQyFaWJREgSaWfONvkMQJWbhcizftbetx7
         K7Qw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=hMaZXZwJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id cd15-v6si6636572plb.174.2018.06.21.16.35.32;
        Thu, 21 Jun 2018 16:36:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=hMaZXZwJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932892AbeFUXeb (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Thu, 21 Jun 2018 19:34:31 -0400
Received: from mail-oi0-f65.google.com ([209.85.218.65]:46934 "EHLO
        mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932686AbeFUXea (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Jun 2018 19:34:30 -0400
Received: by mail-oi0-f65.google.com with SMTP id h79-v6so4510324oig.13
        for <linux-kernel@vger.kernel.org>; Thu, 21 Jun 2018 16:34:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=0oBq3QGclfaOlKxFfvw2X1QxVWGTvFKxFI+SyLJsL78=;
        b=hMaZXZwJpGE3gLnoWQte1firukqRMXIEGnU3esNF0WlfWUsBR6nAay85jNpPZDxzyu
         0g+Gz6jINOB2daHyVYxf7/GPB7jJ/nMlYHD3CIs9YVKJkB4y6TAirXSOuUfTSqJKb4Xx
         vOgKDMjPR/e8Xx+UUXN9xcMUTn2LLcd79J9nu3fKS46tBLdraI7L2+vUT/HdCUrCceZF
         Wj8bZMDtP8oj9EVruR9KPTxtvLAkvgyQdyjTJzS0zyLlu+TzdIA+mleukDduXg+WZlDe
         mbaD9d6p4eg0f5LsA0+er1RoUz8phbeSykULDbXPu6+286SDRcb9WQmIJDDYzjUnGKZ+
         x7aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=0oBq3QGclfaOlKxFfvw2X1QxVWGTvFKxFI+SyLJsL78=;
        b=NA7rq9wN+Vm8yM6ufotTpBfmqY6Q3hMPvCgomoBRcc90/qzGtnmFhTpqAU2wo6KeMd
         q8F81Zks3albt18wsMfRgLs0THAwCYDVIGGfOOggbUbr32RRFw7vXi99VSKagoj0RjBA
         FMBIsqvAcsFBk3/bow6gibv6rmn+ldxp2hfjh+eZM7lB2vIMxCTSXDhDCpCA95pHptmG
         qw8xYz768nSJwNgzA6c0ca+0g7WgqtzD/NWoC/xBYpH25pyFGkTQxUqd0iDnY87cLYCz
         4hvSQlVcTcUC4w1Zv+hSzd2m6Oc5SQtN72gw6gktPpNHiG+jQS5/MTNsgEcyyoEjwpO6
         Sbkw==
X-Gm-Message-State: APt69E1tv15kw3TQQY25RbS5yiU7ogpADQOaV4mg4OH/XTnE0k/4KgK2
        v3hTeblEUsp/E8XirQ7GqLGfsJGIhu0LVvwLdPiBVg==
X-Received: by 2002:aca:5bd5:: with SMTP id p204-v6mr16228542oib.91.1529624069452;
 Thu, 21 Jun 2018 16:34:29 -0700 (PDT)
MIME-Version: 1.0
References: <20180621220416.5412-1-tycho@tycho.ws> <20180621220416.5412-5-tycho@tycho.ws>
In-Reply-To: <20180621220416.5412-5-tycho@tycho.ws>
From:   Jann Horn <jannh@google.com>
Date:   Fri, 22 Jun 2018 01:34:18 +0200
Message-ID: <CAG48ez0d+tRsfvstU3Kd7T=kkdKbbfpNS+19NLTchhSL1fUyNg@mail.gmail.com>
Subject: Re: [PATCH v4 4/4] seccomp: add support for passing fds via USER_NOTIF
To:     Tycho Andersen <tycho@tycho.ws>
Cc:     Kees Cook <keescook@chromium.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        containers@lists.linux-foundation.org,
        Linux API <linux-api@vger.kernel.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Oleg Nesterov <oleg@redhat.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Tyler Hicks <tyhicks@canonical.com>,
        suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" <me@tobin.cc>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 22, 2018 at 12:05 AM Tycho Andersen <tycho@tycho.ws> wrote:
>
> The idea here is that the userspace handler should be able to pass an fd
> back to the trapped task, for example so it can be returned from socket().
[...]
> +Userspace can also return file descriptors. For example, one may decide to
> +intercept ``socket()`` syscalls, and return some file descriptor from those
> +based on some policy. To return a file descriptor, the ``return_fd`` member
> +should be non-zero, the ``fd`` argument should be the fd in the listener's
> +table to send to the tracee (similar to how ``SCM_RIGHTS`` works), and
> +``fd_flags`` should be the flags that the fd in the tracee's table is opened
> +with (e.g. ``O_EXCL`` or similar).

fd_flags only contains file descriptor flags (meaning only O_CLOEXEC).
O_EXCL is a file creation flag, so setting it here wouldn't make sense.
Setting file status flags like O_APPEND does make sense, but those are
stored in the `struct file` and don't need to be passed separately;
the caller can e.g. set them via fcntl(fd, F_SETFD, flags) or on
open().
(The fcntl.2 manpage explains these.)