Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1362159imm;
        Fri, 22 Jun 2018 15:28:54 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIVVTmTqgFAEevzgPgHeC5D1lwREWz0iuVoALpnveai1sXggZG5c/6dHkXiB51ab3enZZu4
X-Received: by 2002:a65:4389:: with SMTP id m9-v6mr2910125pgp.383.1529706533962;
        Fri, 22 Jun 2018 15:28:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529706533; cv=none;
        d=google.com; s=arc-20160816;
        b=0dyS0g6D0LnyVejVIGv4jG7HvGIWbquQGqbdgHM5aJWB5WBLjU/ds6N5J7K8pdAQes
         SzeFLUBIokNiot/lla98KGhiNuCKah6zl/94XauUNdysaCJLnJEMF9xYNFFnhfUj/gM3
         hLFxyIHM3mbIomvvbmsmBFKvMC6PLDOGmbzSxvSerEUblziJ2LGtt5SGzfnsZcugNqU6
         eP4ICf9i2Nt5gb9ox0B7NAO0rg/o2QStVeja4diHcz2DRcRuUHmDOMU8vSUAeKFyPQX6
         sbG38iIZbBcmsEBdvlGpxtMhl02RHVIFIxvzA93tGt80P56EhrsLvFWtNz+qG3D3aGeC
         qIkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature:arc-authentication-results;
        bh=5GcbRm6HzPO4iWWcYRomDO/imqkOEksleLhNqIxIHSk=;
        b=yUJdQhiwCf4g744Tkjn3jrmYedbo/xA2e9AZABGSSXsMIyYK+JzhKh8HYNOImhy1Oj
         7UtrG9F40tkF9hBC26NkoQpY5lBtulVqp6GELyIdzDAxQOo89GvUkEloucXyRH5wF1bU
         RmsBblxbswfgyJZeYJZEBjUNgq6QNoGsxVcKaSi7MrxFODFX0WYw7rrnHsa+s5TtQCuH
         FnApsiDV+UVcTn2mLyD8AFT5PI27utsvpkxHJBPuJfpWAKZ4q4VTOaFGET6oTaU1zjq6
         Bz6ozEhQKMkaqEHMuau+lW/wDM79Ddg4oaFHdYOOO0s7DGhfb0Zr5r2ecDnaIgd/9HVH
         xkjw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=AXA+LJyj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e9-v6si6840897pgo.397.2018.06.22.15.28.37;
        Fri, 22 Jun 2018 15:28:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=AXA+LJyj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933883AbeFVW16 (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Fri, 22 Jun 2018 18:27:58 -0400
Received: from mail-ot0-f196.google.com ([74.125.82.196]:32779 "EHLO
        mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932918AbeFVW14 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Jun 2018 18:27:56 -0400
Received: by mail-ot0-f196.google.com with SMTP id h6-v6so9176542otj.0
        for <linux-kernel@vger.kernel.org>; Fri, 22 Jun 2018 15:27:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=5GcbRm6HzPO4iWWcYRomDO/imqkOEksleLhNqIxIHSk=;
        b=AXA+LJyjvFGpjfGPUA82Gu72EmhUaOkc9FulD7gs3hISPXtbuunYY4XcvhkxTpWrWA
         V7t+dH0sk1cP740jBLIx168GTabE3qUOHtljM9tGTz40y/JwcJpSF40K9kXMh1GJWafP
         kkh+AJrkHobQg+8meY7x/vmLpEY8ZWqWea90VxxmBLm4rTomS1mWj2fde8GCShZXCndn
         XR6lwaL2fTbI/WdVeLdCRfXTqzQgd3jiuG/lMU0exCruswv7/zINW3iD8+elV7IGvaR8
         tiDjfNf5612laDVJFZqjgbjsmSfI0i5B60ZPKfd4lHKnFvLuVuSCd/P7vJiEqiIL+THw
         KljQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=5GcbRm6HzPO4iWWcYRomDO/imqkOEksleLhNqIxIHSk=;
        b=N+Qlsn1NBjLifA3SI7QJUTXCO3tiqhGSy5RpMf88LMDsnaja8LpX5FxElwK5KVyppa
         mplWdY0hVJz2H2lPR1jwHI2zLPJPv8gdfrm+OtJjwd6aYTb5IbjY04V0YWV/QwIYhWmH
         fXYBIEyyiFGXqKoLOD9uw/GOj6u7Mb+FSlKVZK7qk6nVTC5xAeWiffbINju7BQOxqeUG
         ecWvftXNBKhvhapUkdbWcGpA4uwqBgSg8R8A0Fekw0mb25UfPfGqiHbYYgYyTaCAJjbv
         wHADGca/0bCjTWv1mq32OpRqrrwNWhVU3kUkE4rRknTIH6A8d7e+lyEdMgE/8rhXJFGk
         oJMQ==
X-Gm-Message-State: APt69E2XpCYT5aaWFvBZgRMuzo7WhZcj3jg0LdjWwhb666LATDBbv7kw
        LrCRWFr5XB44Kv4FC9VvirLh1Ia0Oxodf4VBebnRkg==
X-Received: by 2002:a9d:8ac:: with SMTP id 41-v6mr2186587otf.115.1529706475596;
 Fri, 22 Jun 2018 15:27:55 -0700 (PDT)
MIME-Version: 1.0
References: <20180621220416.5412-1-tycho@tycho.ws> <20180621220416.5412-2-tycho@tycho.ws>
 <CAG48ez3Ek_KG54ejR=Q=XtW_HDs8hQ+cgFODzn4rQ0nVDVpODg@mail.gmail.com>
 <20180622151514.GM3992@cisco> <E8029AD7-7009-4CBF-911E-186328237176@amacapital.net>
 <CAGXu5jKWQCDzXPdTz=+bxT9+4enaBvgYfMseUiGti+t1KwZT8g@mail.gmail.com>
In-Reply-To: <CAGXu5jKWQCDzXPdTz=+bxT9+4enaBvgYfMseUiGti+t1KwZT8g@mail.gmail.com>
From:   Jann Horn <jannh@google.com>
Date:   Sat, 23 Jun 2018 00:27:43 +0200
Message-ID: <CAG48ez3gobTL5mUnZKjhLedotZx49nGrxYKKud5_7+512PaOFw@mail.gmail.com>
Subject: Re: [PATCH v4 1/4] seccomp: add a return code to trap to userspace
To:     Kees Cook <keescook@chromium.org>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Tycho Andersen <tycho@tycho.ws>,
        kernel list <linux-kernel@vger.kernel.org>,
        containers@lists.linux-foundation.org,
        Linux API <linux-api@vger.kernel.org>,
        Oleg Nesterov <oleg@redhat.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Tyler Hicks <tyhicks@canonical.com>,
        suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" <me@tobin.cc>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 22, 2018 at 11:51 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski <luto@amacapital.net> w=
rote:
> > One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is =
not what we want here.

Uuugh, I forgot about that.

> > How about just adding an explicit =E2=80=9Cread/write the seccomp-trapp=
ed task=E2=80=99s memory=E2=80=9D primitive?  That should be easier than a =
=E2=80=9Copen mem fd=E2=80=9D primitive.
>
> Uuugh. Can we avoid adding another "read/write remote process memory"
> interface? The point of this series was to provide a lightweight
> approach to what should normally be possible via the existing
> seccomp+ptrace interface. I do like Jann's context idea, but I agree
> with Andy: it can't be a handle to /proc/$pid/mem, since it's
> FOLL_FORCE. Is there any other kind of process context id we can use
> for this instead of pid? There was once an idea of pid-fd but it never
> landed... This would let us get rid of the "id" in the structure too.
> And if that existed, we could make process_vm_*v() safer too (taking a
> pid-fd instead of a pid).

Or make a duplicate of /proc/$pid/mem that only differs in whether it
sets FOLL_FORCE? The code is basically already there... something like
this:

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 80aa42506b8b..e8a6a63046da 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -762,6 +762,8 @@ static int mem_open(struct inode *inode, struct file *f=
ile)
        return ret;
 }

+static const struct file_operations proc_mem_operations;
+
 static ssize_t mem_rw(struct file *file, char __user *buf,
                        size_t count, loff_t *ppos, int write)
 {
@@ -782,7 +784,10 @@ static ssize_t mem_rw(struct file *file, char __user *=
buf,
        if (!mmget_not_zero(mm))
                goto free;

-       flags =3D FOLL_FORCE | (write ? FOLL_WRITE : 0);
+       flags =3D (write ? FOLL_WRITE : 0);
+       if (file->f_op =3D=3D &proc_mem_operations) {
+               flags |=3D FOLL_FORCE;
+       }

        while (count > 0) {
                int this_len =3D min_t(int, count, PAGE_SIZE);
@@ -861,6 +866,14 @@ static const struct file_operations proc_mem_operation=
s =3D {
        .release        =3D mem_release,
 };

+static const struct file_operations proc_mem_noforce_operations =3D {
+       .llseek         =3D mem_lseek,
+       .read           =3D mem_read,
+       .write          =3D mem_write,
+       .open           =3D mem_open,
+       .release        =3D mem_release,
+};
+
 static int environ_open(struct inode *inode, struct file *file)
 {
        return __mem_open(inode, file, PTRACE_MODE_READ);
@@ -2916,6 +2929,7 @@ static const struct pid_entry tgid_base_stuff[] =3D {
        REG("numa_maps",  S_IRUGO, proc_pid_numa_maps_operations),
 #endif
        REG("mem",        S_IRUSR|S_IWUSR, proc_mem_operations),
+       REG("mem_noforce", S_IRUSR|S_IWUSR, proc_mem_noforce_operations),
        LNK("cwd",        proc_cwd_link),
        LNK("root",       proc_root_link),
        LNK("exe",        proc_exe_link),
@@ -3302,6 +3316,7 @@ static const struct pid_entry tid_base_stuff[] =3D {
        REG("numa_maps", S_IRUGO, proc_tid_numa_maps_operations),
 #endif
        REG("mem",       S_IRUSR|S_IWUSR, proc_mem_operations),
+       REG("mem_noforce",S_IRUSR|S_IWUSR, proc_mem_noforce_operations),
        LNK("cwd",       proc_cwd_link),
        LNK("root",      proc_root_link),
        LNK("exe",       proc_exe_link),