Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3037917imm; Mon, 10 Sep 2018 10:02:01 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbhuUV+Rsq4B1KEjYMFw1HSUm679qFZPc/7DOLNuEtO5ugO25b5MU1fkTcI/bdH8YX3GZXC X-Received: by 2002:a17:902:864b:: with SMTP id y11-v6mr23162425plt.335.1536598920971; Mon, 10 Sep 2018 10:02:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536598920; cv=none; d=google.com; s=arc-20160816; b=zIqc3ihd+xuU8mQc45Ha+YxotXZ8RjeGhCJZx8FeVIrjklKQrRurYazsWLdfK5Nj+k JAeiJQi7RoGaN9YKC6V2Pnayn0GjMjCsOSsiex2SqOQnBV1LXeWra1M23CF7FuArgfZu Bct7T94wKMs7ZEJW6icbeIY1gDLUDNMi3hLKmvM4jchgJhdplA5YF2P50genAft1s6ru nFQCiyYjmVm3K3nrl3d/A94zDeNLhS2IxZhi7n+7YUR4fRktox3/W/iUQ0xSl5pOctcV XUzvT2TnAndFoEa4eRBmOD25T/yeCxqRN/vrcxGHsMXeTbtnR8oisLMNUNcQXAdEwrvw 19nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zK8Fd0kJOvKg2PjbnxicjT6vqSDeRw4iZMBXsXoGFmM=; b=S26F6ebyEjWyhken290d21oqakMib1oP8L3lbpBiLgywCHuKNgiS9QajfFiqVkYu+7 TGtYTcHZwYU8aOt3GBva/3GeqKUklLRCpu6WD0XS528yTpHxLhSuFwDShwj5eo4GWcwz BhS1bIb978SOvLe03Zoi78AWG31fw2/Ewre50UOgPqDeA93SVxRhpFYu5pc2xxcId7Mh 72jMPDXZl7PNBP25rQzMeQpkwlUqiQz64hNV7u/GcMJvBMZcbq9FeFGXbFGe2lJf+HfA 9EeqlwTWH7BiNnTMtZF/zzdgNPm2ZY+2TwviSlCtlrf3SPtndgCG2jivq3Xq/9TWZFyf fhlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dIQ3tkOu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n7-v6si16382255pgp.411.2018.09.10.10.01.45; Mon, 10 Sep 2018 10:02:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dIQ3tkOu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728834AbeIJV4L (ORCPT + 99 others); Mon, 10 Sep 2018 17:56:11 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:36200 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727772AbeIJV4L (ORCPT ); Mon, 10 Sep 2018 17:56:11 -0400 Received: by mail-oi0-f68.google.com with SMTP id r69-v6so41556869oie.3 for ; Mon, 10 Sep 2018 10:01:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zK8Fd0kJOvKg2PjbnxicjT6vqSDeRw4iZMBXsXoGFmM=; b=dIQ3tkOuAhOd9PniRN6RdV95MMYfadce67k4y2v6gKC7B1IXs+umPZ2k4BHhUMpnc6 nKpPU/Nf6wDZ5iLmRNePphh4SrHZyTgC8rQ3bnVzBpXBLz9nhkRb8WIg6SLjPQDRznKK eysLL2rrTTqKpHv1TrxbH0iVJ023lBrzFDDYW+75FtCv29xoyMNToxUFzGoiJl+CH0Cy RBeeBLAgdeo6GXmo6CchekthW1U3ED39MmPd5UoZcRXm+F9Ij63I8hEu2ogPXNhxanMj p9f0X9uiTA7g6+IlBx6QTKzdIVcXHonsaHLlmfChpcIhxxQvbhhnCOsi7R/yTe/MZxs/ Fmcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zK8Fd0kJOvKg2PjbnxicjT6vqSDeRw4iZMBXsXoGFmM=; b=VAehwM6ouYx1xb2k4Ru9MHlNxGhroaNkdXQ7WomCHet0VS3H0QN6hIUUkAJ+eO+zHI mEfNsKFYMkcQ3/8BfNJKlC78Wq/YlFuB19651fi6mo2he1Lmfk1BP3vcguPb7tLNlfeR KrlJUiw+qYOGrPgGKD2otI/tzECUdrnAOgyDL7JWmy0tkX7UuG6FLz2VRRWPUryPScVq YP1RcS1450M/46ynZ8gMPuMiAktUfZqlnsSJnZb81xoPplqSh/WHiAzkKIhfhchH551B m+V2Xtf5immm0aqmjd5iUL93laPH4QpczQJoRZolfifiXa1FDMML2NdIvILi9QWHeGtg gCzg== X-Gm-Message-State: APzg51D2JY7DOGVdcJUavbmR9jbplLkPqkHrw63xC/HcY4J8JlWUS7Qa LgUzv4M49IcgJXglpz9vpCKk2OB6TmYOYzzYs+wAZw== X-Received: by 2002:aca:c585:: with SMTP id v127-v6mr23202338oif.348.1536598869584; Mon, 10 Sep 2018 10:01:09 -0700 (PDT) MIME-Version: 1.0 References: <20180906152859.7810-1-tycho@tycho.ws> <20180906152859.7810-5-tycho@tycho.ws> <20180906162246.GB3326@cisco.cisco.com> <20180906183018.GC3326@cisco.cisco.com> In-Reply-To: <20180906183018.GC3326@cisco.cisco.com> From: Jann Horn Date: Mon, 10 Sep 2018 19:00:43 +0200 Message-ID: Subject: Re: [PATCH v6 4/5] seccomp: add support for passing fds via USER_NOTIF To: Tycho Andersen Cc: Kees Cook , kernel list , containers@lists.linux-foundation.org, Linux API , Andy Lutomirski , Oleg Nesterov , "Eric W. Biederman" , "Serge E. Hallyn" , Christian Brauner , Tyler Hicks , suda.akihiro@lab.ntt.co.jp Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 6, 2018 at 8:30 PM Tycho Andersen wrote: > On Thu, Sep 06, 2018 at 10:22:46AM -0600, Tycho Andersen wrote: > > On Thu, Sep 06, 2018 at 06:15:18PM +0200, Jann Horn wrote: > > > On Thu, Sep 6, 2018 at 5:29 PM Tycho Andersen wrote: > > > > The idea here is that the userspace handler should be able to pass an fd > > > > back to the trapped task, for example so it can be returned from socket(). > > > [...] > > > > diff --git a/Documentation/userspace-api/seccomp_filter.rst b/Documentation/userspace-api/seccomp_filter.rst > > > > index d1498885c1c7..1c0aab306426 100644 > > > > --- a/Documentation/userspace-api/seccomp_filter.rst > > > > +++ b/Documentation/userspace-api/seccomp_filter.rst > > > > @@ -235,6 +235,9 @@ The interface for a seccomp notification fd consists of two structures: > > > > __u64 id; > > > > __s32 error; > > > > __s64 val; > > > > + __u8 return_fd; > > > > + __u32 fd; > > > > + __u32 fd_flags; > > > > > > Normally, syscalls that take an optional file descriptor accept a > > > signed 32-bit number, with -1 standing for "no file descriptor". Is > > > there a reason why this uses a separate variable to signal whether an > > > fd was provided? > > > > No real reason other than I looked at the bpf code and they were using > > __u32 for bpf (but I think in their case the fd args are not > > optional). I'll switch it to __s32/-1 for the next version. > > Oh, I think there is a reason actually: since this is an API addition, > the "0" value needs to be the previously default behavior if userspace > doesn't specify it. Since the previously default behavior was not to > return an fd, and we want to allow fd == 0, we need the extra flag to > make this work. > > This is really only a problem because we're introducing this stuff in > a second patch (mostly to illustrate how extending the response > structure would work). I could fold this into the first patch if we > want, or we could keep the return_fd bits if the illustration is > useful. I feel like adding extra struct fields just so that it is possible to write programs against the intermediate new API between two kernel commits is taking things a bit far.