Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1334193imm; Fri, 22 Jun 2018 14:52:26 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLJusACtGtyBYX80Y8MZAq2kVX5n25J411FOj001dZS5PwE/iJ9iYYYDYPfPVWSpH+JcXTw X-Received: by 2002:aa7:80cf:: with SMTP id a15-v6mr3402522pfn.19.1529704346052; Fri, 22 Jun 2018 14:52:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529704346; cv=none; d=google.com; s=arc-20160816; b=xEac7igZOLLDxd1B5RZfEQ5JW5/28oAJ1rWzhIbaNjSkU2q5BecCfZ4QnrXHPpnd+L /EZDYV7t96GIHGillVX4JJ5t2F1w7yHtOcURE0nBaY0EkY7+gHF8V26Rsz4vXozdZpeY IO6nOWEUFgLOAOSvt7oPWdaN5qzVJZl6cCsJqEZE8Bmj3j6gkJ/0QTPYs3CIKwO1ePaq j/zbLLsakgrPovOUHJ9PmPtjKCK9PcRphqPqTgLcO80M02u9zc5P5y65w6cd3k0hySR8 h9pfmtZR2mem/gQE3gGT95Ur2f0k3pVqBWNTqMxy1oPfZxJcaGWanWRQhUbW7ALYWpbf gwzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:dkim-signature:arc-authentication-results; bh=/I2+lEnClb0G8zFqfbDfDPry7tyx3pjpR0MTIS7iIFU=; b=01LJSqlQktVpwhEes79nSYjvWP6rJUdCqIw1DUBYRIzO5FNnxWrafMEwjvzuRyiHb/ BsMS0ITxiV0M5rM/Yyxfj+DlAXK/gYHGDckr2LuNCa8g0jjgqpRrIpsBw/orz12bu+UI y2MZjtlFVnchX7EloiQHT5xYnWaM+5+VVYy0dTrMZpRkly7ac0HbY2ExO4TQnKmZgAEN 57nPA5jKVtDNLT4KiZyHAAJRJPVMLrGvBTmmEUs9RXuQGlAwKChKTtKO2XSiC3f/KnkN NUafSOnY9seAEZM0twuS2yNqQu8YIEM2zqf6eDEIS1xuMeameyP8g6hdYDmgxK/h75Bo SEEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=ZmRqh6PH; dkim=fail header.i=@chromium.org header.s=google header.b=IVG1wUsH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m9-v6si7156405pgr.148.2018.06.22.14.52.11; Fri, 22 Jun 2018 14:52:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=ZmRqh6PH; dkim=fail header.i=@chromium.org header.s=google header.b=IVG1wUsH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754638AbeFVVv0 (ORCPT + 99 others); Fri, 22 Jun 2018 17:51:26 -0400 Received: from mail-yw0-f195.google.com ([209.85.161.195]:43590 "EHLO mail-yw0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754220AbeFVVvZ (ORCPT ); Fri, 22 Jun 2018 17:51:25 -0400 Received: by mail-yw0-f195.google.com with SMTP id r19-v6so2879206ywc.10 for ; Fri, 22 Jun 2018 14:51:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=/I2+lEnClb0G8zFqfbDfDPry7tyx3pjpR0MTIS7iIFU=; b=ZmRqh6PH/3xvVHMHLWtWoY4W2SMKhL4kWVgtccGoXJ5HD4j+Vreu0vXbS1R2KD48ZD i8NeUPvL16YZ+6gVSgP1wTeWaic/aRUT3eUhpro9F05qgD0b5hg9Ncp5vBJb2S85ZqL+ XE4ZmnuQX8aZiUnv8OxUAzzU6/oldrsmNznmgIad7647Z8dIXkptuaeWPj7RK46lyLJe qXBn2qmz5ZoXnektCfo7cg8UgR2HXxToXvvPF3lJ3v6Xj6ZkGeF5kwTIGkCZCbZK97tI 738RKZ6IUuPCqRBA4g9RrLyg3++iXvikDg81Xa7ANd+e7/JxQobJamGF4NZvqZmpCKV4 0n4A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=/I2+lEnClb0G8zFqfbDfDPry7tyx3pjpR0MTIS7iIFU=; b=IVG1wUsHxWnxBpiy+HEEQYUxeVIwHQ2Mc03EKa+bCUts5D4YJFZ9ZmVpiGzBVv/xbZ y3lMAJknG/rTDy1t7pFEStBVe6q4vuNzqlR74bJfiJwQIxp6k8sTuLeeFd894WunCAYG 7sIDr7kCUwskk9qXjDQS3+D2a3rcqy5eI+JLA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=/I2+lEnClb0G8zFqfbDfDPry7tyx3pjpR0MTIS7iIFU=; b=PDJZ46ynRWZatTh+ZO3QSgGcaCi4v8ruEK2GjJT1s3izQK7QMVEkCExcWgCXSx/IIB PO1LXYsrgM9QPhlKMSswwbw1FGSgidg2GJV+mhx/e0ndY07bbBd3wECT0w6SFLnQFamt K3ChSnKbvdV6OgGR6sfsbFzkb9NXs/46IoHzi4TMQJaTOdFn+E9zwY+rUxmTcEt7mM4V 8GuG1XvWwZsfI35klp6991qZt8nyZ1z1ZBtfriQQHXatGn2KBtbxeiGhBwy/oTcY4EEJ xYUPmxC+6sHl/I+My/gccEmUm/K52jTXJ0BI3hdIc8L6/JCHadr3MxlAhi5PVf5iqAnO K30A== X-Gm-Message-State: APt69E3vueRCoQdS/bawPoF1S5PyolDRG2p09MopbpYgA6aCgjYJnw0C gFv1HuyoI/mEDGzG9fcYRscfh0cF2vpWHEIpaF+mXIgz X-Received: by 2002:a81:8743:: with SMTP id x64-v6mr1683810ywf.129.1529704284112; Fri, 22 Jun 2018 14:51:24 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d6c5:0:0:0:0:0 with HTTP; Fri, 22 Jun 2018 14:51:23 -0700 (PDT) In-Reply-To: References: <20180621220416.5412-1-tycho@tycho.ws> <20180621220416.5412-2-tycho@tycho.ws> <20180622151514.GM3992@cisco> From: Kees Cook Date: Fri, 22 Jun 2018 14:51:23 -0700 X-Google-Sender-Auth: 2ViZdDwAPfq3WbwPCCZmxrvg9Mw Message-ID: Subject: Re: [PATCH v4 1/4] seccomp: add a return code to trap to userspace To: Andy Lutomirski Cc: Tycho Andersen , Jann Horn , kernel list , Linux Containers , Linux API , Oleg Nesterov , "Eric W. Biederman" , "Serge E. Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , "Tobin C. Harding" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski wro= te: > One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is no= t what we want here. > > How about just adding an explicit =E2=80=9Cread/write the seccomp-trapped= task=E2=80=99s memory=E2=80=9D primitive? That should be easier than a = =E2=80=9Copen mem fd=E2=80=9D primitive. Uuugh. Can we avoid adding another "read/write remote process memory" interface? The point of this series was to provide a lightweight approach to what should normally be possible via the existing seccomp+ptrace interface. I do like Jann's context idea, but I agree with Andy: it can't be a handle to /proc/$pid/mem, since it's FOLL_FORCE. Is there any other kind of process context id we can use for this instead of pid? There was once an idea of pid-fd but it never landed... This would let us get rid of the "id" in the structure too. And if that existed, we could make process_vm_*v() safer too (taking a pid-fd instead of a pid). -Kees --=20 Kees Cook Pixel Security