Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4546141imm; Mon, 25 Jun 2018 18:33:22 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJLSDW6O/frhCzTfkWQAwNvOLws8Q4/sJzyYA95WVr/STZ1Xa/284gz+xWQOOOwMI+4sZy0 X-Received: by 2002:a65:4a92:: with SMTP id b18-v6mr12323967pgu.107.1529976802194; Mon, 25 Jun 2018 18:33:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529976802; cv=none; d=google.com; s=arc-20160816; b=Ui92Tz93hbAmzoqfMbmrzlxVM/AfiIQpVDsQnH+99AJBvHirLQta1tEjRV3wpPPvb7 S+3kCke74MuFMnrqeF7+eNgqtegN9aMUd7RH9Y7guRtGhIXKIwdiMv6la4MRvpW5EYqR 0o7hlohDMR4e3lLCOpv7AdYQXwpDlzJhtUPjSLh2rOqpl7wET/q1HS8zs433C2X0iweJ AdGcWIkfnZ+/PEsjY2UDkmz6fQePUuszhczvYEe8o24XsvuNCXI4fnxS1KzkProm/6k/ nS5cKFOaM9RuY01aNOFtigbiDCJH/ltLtqJhXsJTxQNBrDojqR39mgPE1nlAUKutnASh COXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=vdbmf8N7kpZxNR4Bgi3lDwsCruA6bMNnC16SPX4GO6o=; b=Qtad/hgv0L1sNyCVyrVl/N8413TeFuehtglUqKbYgxqj9DqAPCefCeuLTokS/V6tpD YmzW1dAXlqIiZo/iFfF/ak8hk1B1WVIYxT79ieKobMTrGz0jc7jbjDNIpvQzwVEtopUT 8BjL6gYZ4c55C0YDOt1RqB8rdrIeeVcOOaSy+3NdA6t0xfKCIcJDIeuJmoUrA8UagRLd 6HZfd2eVX2zLbqiRwoheyOTtk/LLkTyvGrDeOH506xdu2XISV7KdgwiuJIiD56mcgLO5 myeMqXGdQmkT+4b6pbuceRIPmWE+LPR5Di5T2LaIUW0bZkg9iB1TTq1orEyYDm3Cx6ZM YkGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=s9M61WXu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10-v6si318123pgv.315.2018.06.25.18.33.07; Mon, 25 Jun 2018 18:33:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=s9M61WXu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935148AbeFZBcL (ORCPT + 99 others); Mon, 25 Jun 2018 21:32:11 -0400 Received: from mail-pg0-f65.google.com ([74.125.83.65]:43692 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934543AbeFZBcJ (ORCPT ); Mon, 25 Jun 2018 21:32:09 -0400 Received: by mail-pg0-f65.google.com with SMTP id a14-v6so6853302pgw.10 for ; Mon, 25 Jun 2018 18:32:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=vdbmf8N7kpZxNR4Bgi3lDwsCruA6bMNnC16SPX4GO6o=; b=s9M61WXuKCVhIyIcmzzQBtmLDx9Qi0MGxRMGx7LwyTFe2Q9RYcagTRRnV0SDeAmUzY 6TAlbB+D8Cd4fOfXK67tkJSz7qgkyT/x1O8HBSxpVMg/G2Z4iP17kUev/BVLFZLp6AcK KcESa/H9ksC1D+MIAoE3cucG1n/S2rQCNbvW4JYjTdQc+bn3lOJshZn4acqS62KNReVo pWWIwRD1384TIkcpH20++gB0Qg7FSCniphPI9Q5W0tFtMORO0cKE8TlrYc0hi6X3zDlc qfuKA+efl6kAKovn98tYMlHkgR4PgOWOuvdG3Lk0p3hl5uUeFDuheYkPNGN9eKSyv79e 4kNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=vdbmf8N7kpZxNR4Bgi3lDwsCruA6bMNnC16SPX4GO6o=; b=ptd/vZjPpHiaSDJ3iv+Ga543HRicq0ABkv2XFUZF1ULnTrOd675j0aUm6DRWdf/VtP lXC57FQ1j7my9INgsFsBgJg4T6Pl568YY16kBxb8o0XK4RMHFyNETQgmYur1/ntoZzpa vCxebwLUgdVZhCST8V++v1QsSzjkRNX1b/rdNIVQqfFunzuubCu0cZwEt2UzDSohY7km zOsvOLzxfqihZy7hwMVIFy5lN3vAOPnqziYnhMpk6QFb7xwS3ut5wzb+Yh0unQwNGSIC nfQifuWm9BTwJV6cU3tsNg8PGUtgcNGcBS6dMYR17sk1ruhD5cXRK2Ui9YyJ2wupp8LI pVZQ== X-Gm-Message-State: APt69E1kdscomriintY2+7AG2tREk1d+01pCJ87p76T1pLfjlPLGWT14 Tq4JO9Nq617L9EC27gTLUEqXKw== X-Received: by 2002:a65:4a92:: with SMTP id b18-v6mr12321122pgu.107.1529976728595; Mon, 25 Jun 2018 18:32:08 -0700 (PDT) Received: from cisco.cisco.com ([128.107.241.191]) by smtp.gmail.com with ESMTPSA id y22-v6sm388894pfi.166.2018.06.25.18.32.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 25 Jun 2018 18:32:07 -0700 (PDT) Date: Mon, 25 Jun 2018 19:32:04 -0600 From: Tycho Andersen To: Jann Horn Cc: Kees Cook , Andy Lutomirski , kernel list , containers@lists.linux-foundation.org, Linux API , Oleg Nesterov , "Eric W. Biederman" , "Serge E. Hallyn" , Christian Brauner , Tyler Hicks , suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" Subject: Re: [PATCH v4 1/4] seccomp: add a return code to trap to userspace Message-ID: <20180626013204.GA7261@cisco.cisco.com> References: <20180621220416.5412-1-tycho@tycho.ws> <20180621220416.5412-2-tycho@tycho.ws> <20180622151514.GM3992@cisco> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jun 23, 2018 at 12:27:43AM +0200, Jann Horn wrote: > On Fri, Jun 22, 2018 at 11:51 PM Kees Cook wrote: > > > > On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski wrote: > > > One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is not what we want here. > > Uuugh, I forgot about that. > > > > How about just adding an explicit “read/write the seccomp-trapped task’s memory” primitive? That should be easier than a “open mem fd” primitive. > > > > Uuugh. Can we avoid adding another "read/write remote process memory" > > interface? The point of this series was to provide a lightweight > > approach to what should normally be possible via the existing > > seccomp+ptrace interface. I do like Jann's context idea, but I agree > > with Andy: it can't be a handle to /proc/$pid/mem, since it's > > FOLL_FORCE. Is there any other kind of process context id we can use > > for this instead of pid? There was once an idea of pid-fd but it never > > landed... This would let us get rid of the "id" in the structure too. > > And if that existed, we could make process_vm_*v() safer too (taking a > > pid-fd instead of a pid). > > Or make a duplicate of /proc/$pid/mem that only differs in whether it > sets FOLL_FORCE? The code is basically already there... something like > this: But we want more than just memory access, I think. rootfs access, ns fds, etc. all seem like they might be useful, and racy to open. I guess I see two options: use the existing id and add something to seccomp() to ask if it's still valid or independent of this patchset add some kind of pid id :\ Tycho