Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4565432imm; Mon, 25 Jun 2018 19:01:58 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIiHZQeHRtaNEYBJAu/YFIQaOcPb2Oyk5QsM+C6P/Db7j2h6QXk7dvC/eweTZv15mszZN+H X-Received: by 2002:a65:510c:: with SMTP id f12-v6mr12307965pgq.288.1529978518168; Mon, 25 Jun 2018 19:01:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529978518; cv=none; d=google.com; s=arc-20160816; b=SGFxEk+4MF/pIUGzA6VXSgpFT+XR8cLwpwZ8pdDjWAbTlDw1K5PztGI3Li9X8SipDu 9L/bTChTj5kGNuuKLvWxHw001KcEdj9OogKXkSaBD3M+4e+RnIAfCF23HyeAqDuyz3mL LdaqNNa9mzM372do4MaKg2Ac/YInAXOmgnLdJ7dxQ6oInZ1p6a4Ewt1xfCQ4AfDmwyTl qlV1gIqP1e6028Nb2l5xQ1Cn+6/Yghn1Qs0btmYCm+L09kjgSrhRDEaEJm+b+WPw235S X8C8pRfMAVaheSYGu42PZIQsJvZJ+B/o74f0WYBRpwdvM0CCUhw4bQhzTs7LmTa/2Alz b8XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=7bWEH+XZ1TAGDbOB3pS+qNO1MUYTuyv9m5DYMaFD9+s=; b=QpPv38tet9GcJ1HTkLotwIgGvQOPfK5HFK16qwA96hBrDWRnT3WMt7ileBsaZSrgWW TeBg62VWfYVrEvZPg80fodTT45ohLLRfVZUuYZpM45IfUE+u+//rLveTuomAzbeX+G+o qVtTImFmD9FikTArzP0irEKeY/IXgEjYJ+QSnjn/v/lU3VQW0hCY6wBxMrmo1ZV9ykj7 W5K/dXG7TRNrpPLX5qrqQwQE7Ptfa+Acm4asZ9PZKE5YFOqqlYn1x4af+yQ3uAPUqzt7 ltfcYZ4j8UfDO7rjvIBu9w8iW2AdxAlFt9fU0+iTJy3MpbvNJN3A3/X1ulyYSCwPxDXf tniw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=pLlOFOxG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x19-v6si463068plr.15.2018.06.25.19.01.43; Mon, 25 Jun 2018 19:01:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=pLlOFOxG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965100AbeFZCBD (ORCPT + 99 others); Mon, 25 Jun 2018 22:01:03 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:36871 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964843AbeFZCBB (ORCPT ); Mon, 25 Jun 2018 22:01:01 -0400 Received: by mail-pg0-f68.google.com with SMTP id o11-v6so1011412pgv.4 for ; Mon, 25 Jun 2018 19:01:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7bWEH+XZ1TAGDbOB3pS+qNO1MUYTuyv9m5DYMaFD9+s=; b=pLlOFOxGXsZd+ptNgL7o85NYaHypwOPfKDopC5SM0y8tJyiwXKCrizvr3ZNLhl8+BG Vau9eWYsE3wmuzURKvp1RIW1NiXoP3pxZ2SqZcgVdSUbbBFtCxibWWSHpiU0BQxa/b5q 2Fu1SiShPUmWECL6F+dMmKXJH6KtcyEC47PuMuBuyIkCihYkhQNEJlT5TEb1c64tYh2D d3Y7nfrMVQXsrct5WASivTzePADcjuJ4dWZitq7zAQZNHqyn13CSUgAy2VxOVBzUq3yh fbaJLlbDiiHgittSPvP9sM0Ue3OkY5zWH4904qChOp92LheLXACJbMF5JBzn2eNCQoFF lGjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7bWEH+XZ1TAGDbOB3pS+qNO1MUYTuyv9m5DYMaFD9+s=; b=CjT0XlB1KgpVUj5JEJ+nzus174bChqcxHC9lcSW92/ylt+zpboXmNm4MGLtSdIxlHq /ENGVJIoV6wnJjc05DK+W9QXSj/mGrC07YQ/Zfs/UkONlygy2MUOZhsnzx3fN3cFNgsv 05EVZnGIVSwgpoFshO9bwVD8CNExvJ60oOrP/QkXA6yfGIInrDLp5zTTQQGbQNOxocZ3 nCLEcexxYV/P75a5kWQzpavARKMwtoRLhbdl/i+8tYWaLv/7EnW327hMgM3uU65U3ngH tOhRRdA4kr5llQ3TUUVoH010UeoY6DqvwlXVXH9anYcay5Te8tx+34wNwVipo8M/0GeG AxOw== X-Gm-Message-State: APt69E3vRii98crV88lIgIlEhzm5/nJJ8fLKjIjEwNvR7lqxpfeAKKvL 5JbBnQkk163SjCFHzqyjVcttyNucElA= X-Received: by 2002:a65:4382:: with SMTP id m2-v6mr12638137pgp.68.1529978460299; Mon, 25 Jun 2018 19:01:00 -0700 (PDT) Received: from ?IPv6:2600:1010:b01b:ac5e:f0d2:dd3c:5dff:6377? ([2600:1010:b01b:ac5e:f0d2:dd3c:5dff:6377]) by smtp.gmail.com with ESMTPSA id s68-v6sm429746pfi.85.2018.06.25.19.00.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jun 2018 19:00:58 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v4 1/4] seccomp: add a return code to trap to userspace From: Andy Lutomirski X-Mailer: iPhone Mail (15F79) In-Reply-To: <20180626013204.GA7261@cisco.cisco.com> Date: Mon, 25 Jun 2018 19:00:56 -0700 Cc: Jann Horn , Kees Cook , kernel list , containers@lists.linux-foundation.org, Linux API , Oleg Nesterov , "Eric W. Biederman" , "Serge E. Hallyn" , Christian Brauner , Tyler Hicks , suda.akihiro@lab.ntt.co.jp, "Tobin C. Harding" Content-Transfer-Encoding: quoted-printable Message-Id: <24C1FE9E-1BAB-49EC-B62C-942B945A7163@amacapital.net> References: <20180621220416.5412-1-tycho@tycho.ws> <20180621220416.5412-2-tycho@tycho.ws> <20180622151514.GM3992@cisco> <20180626013204.GA7261@cisco.cisco.com> To: Tycho Andersen Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Jun 25, 2018, at 6:32 PM, Tycho Andersen wrote: >=20 >> On Sat, Jun 23, 2018 at 12:27:43AM +0200, Jann Horn wrote: >>> On Fri, Jun 22, 2018 at 11:51 PM Kees Cook wrote= : >>>=20 >>>> On Fri, Jun 22, 2018 at 11:09 AM, Andy Lutomirski = wrote: >>>> One possible extra issue: IIRC /proc/.../mem uses FOLL_FORCE, which is n= ot what we want here. >>=20 >> Uuugh, I forgot about that. >>=20 >>>> How about just adding an explicit =E2=80=9Cread/write the seccomp-trapp= ed task=E2=80=99s memory=E2=80=9D primitive? That should be easier than a =E2= =80=9Copen mem fd=E2=80=9D primitive. >>>=20 >>> Uuugh. Can we avoid adding another "read/write remote process memory" >>> interface? The point of this series was to provide a lightweight >>> approach to what should normally be possible via the existing >>> seccomp+ptrace interface. I do like Jann's context idea, but I agree >>> with Andy: it can't be a handle to /proc/$pid/mem, since it's >>> FOLL_FORCE. Is there any other kind of process context id we can use >>> for this instead of pid? There was once an idea of pid-fd but it never >>> landed... This would let us get rid of the "id" in the structure too. >>> And if that existed, we could make process_vm_*v() safer too (taking a >>> pid-fd instead of a pid). >>=20 >> Or make a duplicate of /proc/$pid/mem that only differs in whether it >> sets FOLL_FORCE? The code is basically already there... something like >> this: >=20 > But we want more than just memory access, I think. rootfs access, ns > fds, etc. all seem like they might be useful, and racy to open. >=20 > I guess I see two options: use the existing id and add something to > seccomp() to ask if it's still valid or independent of this patchset > add some kind of pid id :\ >=20 I think we use the existing id / cookie / whatever and ask seccomp, or new s= yscalls, to do the requested operation. This is because we know the target t= ask is in a very special stopping point. As a result, a seccomp-specific mec= hanism can do RCU-less fd modifications against a single-threaded target, ca= n muck with things like struct cred, etc, while a more general interface can= =E2=80=99t. It might be nice to add a syscall with flags such that it could be used on p= trace-stopped targets later on. Something like: access_remote_task(int fd, u64 id, u32 type, ...) Where type is 16 bits of =E2=80=9Cid and fd is from seccomp=E2=80=9D and 16 b= its of =E2=80=9Cwrite memory=E2=80=9D or such.=