Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp529228imm; Wed, 19 Sep 2018 02:57:04 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZLEFoZOJ4QWeGU5wQRKkTbvfi0zEqjwWUP31df+RRYUdjDXIOtcdOTT8EWwcwiJEj5xvrF X-Received: by 2002:a63:ee56:: with SMTP id n22-v6mr31824654pgk.402.1537351024050; Wed, 19 Sep 2018 02:57:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537351024; cv=none; d=google.com; s=arc-20160816; b=FPoiZDW/QKj8cjQEuLuaTPaofH5TDJ/5aSRjj6DG5mhI0iEQqoAYnKcHLA6I30lkKQ KnoZ1uzvACKY/HV8V2eLOJUWa+FKlpP0M+joz0wBpRltVF8ycYPI7tRZksGqSfMcXrWb WUnrPPGQHxYAfKnE0yZ64AjAjuIg4xA/gXZ2IWwsP7cejNyZb7TDrf5qQCcDhnccRhcX G7F0ZiFWPFYfmYjqHEpaU0Tj2iPWwFLf7xCV1qQMm7YXFRl9mnKsN40PNJ/AGgEGOJjC O06QroaoBXUdk0CJSWn897bFLf9mxMxH9wRinrLLOZlTDi3v/I18NIWxd2b+KORfUbgG RGOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=OFB/MHMgh0Ap32ZYn2KzCunWcMDGOn12r0Z0szLw7J4=; b=BVzC1ztw76WEfZTskOWRon1zuUIzH8bV69Xo5ENrN6Lfi96sbJfZHV7ght6HMGU+Gf Cp+il+Brb68r5Xh4NibPnYXUmPvv04EKFG+WSChV3ywEHVBdNr5xt1jbEoBXT7MENucV 0kEunDycurG4iLu/8qbc4X5EBT0r+DTNGL7nrh+RLyDn6UpPtydHR/jkdjpBfUoU/zXh MukXjbk0tv9aN/fdi8tGO8s0hRDRruRzsnK5HXD6ZR7hk3+qQvyy9H5GLy0U/KYvEZlI 6ltlTmcEmla62mhOxQc6CnqNuN+gkSuHdibhiTwTIO8vqKOeMXQGDLGCTkSLa3guXIeO rqbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=0ZVV7E75; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n14-v6si20248546pgg.216.2018.09.19.02.56.48; Wed, 19 Sep 2018 02:57:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=0ZVV7E75; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731097AbeISPcu (ORCPT + 99 others); Wed, 19 Sep 2018 11:32:50 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:55034 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728008AbeISPct (ORCPT ); Wed, 19 Sep 2018 11:32:49 -0400 Received: by mail-wm1-f65.google.com with SMTP id c14-v6so5556024wmb.4 for ; Wed, 19 Sep 2018 02:55:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=OFB/MHMgh0Ap32ZYn2KzCunWcMDGOn12r0Z0szLw7J4=; b=0ZVV7E751Kl/BJqthEr0nAnfpX0a/QFX8ZW9jfjpyQSDwxsNPVhpm4owCLzit1yamr 6rhw2pXg+/SMJ71T0BJI6x3o0OzDxWuRgnM6wqM4h6dlmL2SrzViGkEKQ6fu3ev1H6Ds OTNa0rA+YhDzOjA3Kuhnvjmu3eCFfcTLpBLg1WtiCfygB2q7Y1vxOfJpCNLjwINv7S+j N4GuatKjDeS0tk6Ud6Ctts7oJt2fJschjcQoaAgHnlQOZptPGF3rWaUNQbBjtUlmP2RG laFlpRFLNd5+CiCcJ84sTpewSwyoc08zx3aolvnFnmRFxF8pew5em798nHj5Ey9DlLQg aECg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=OFB/MHMgh0Ap32ZYn2KzCunWcMDGOn12r0Z0szLw7J4=; b=SQh7yMvX70RTjgWPi14Yt2BFPTmHKh1Ycdge17DBx8kdTp8hJ5wX/tuRfBmWX9/qm4 4XzCsD4TDRXx3e1oIEGayWwJUDRrnnRzblXCZRBtoe7RmW5itw6L4y9wjQy5GMrsxnoi MRSdoIL3l22MhBDXVlIVX0JhTZ+qrk9cYLKdkHt9YZTmtcw/7eSq+oGETuRM5L1m7t+8 Xeau7sLwZpQ8IfcYkJKlAWVyBim29NsL4ZMiAu1zU8jSQRp9vR3hReTZ8e0kf3R3fFIc 2oOpBke96144iR/deqI6trQUUPCHLPXHtp0UkdCOK2GShG9HsGKJQKawVpqF/FMDV+sb xgog== X-Gm-Message-State: APzg51Dg1pXb6dD0BbKU78RhCWyrZJVUp7QvvFJqpnNbMALt13xF51ch o2prk8Vz9Rs4LijxHxUmxc8jBmpkNeW7pPOV X-Received: by 2002:a1c:40d5:: with SMTP id n204-v6mr19418064wma.44.1537350939353; Wed, 19 Sep 2018 02:55:39 -0700 (PDT) Received: from cisco ([173.38.220.62]) by smtp.gmail.com with ESMTPSA id x15-v6sm17614359wrt.53.2018.09.19.02.55.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 19 Sep 2018 02:55:38 -0700 (PDT) Date: Wed, 19 Sep 2018 03:55:36 -0600 From: Tycho Andersen To: Andy Lutomirski Cc: Kees Cook , LKML , Linux Containers , Linux API , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Jann Horn Subject: Re: [PATCH v6 4/5] seccomp: add support for passing fds via USER_NOTIF Message-ID: <20180919095536.GM4672@cisco> References: <20180906152859.7810-1-tycho@tycho.ws> <20180906152859.7810-5-tycho@tycho.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 12, 2018 at 04:52:38PM -0700, Andy Lutomirski wrote: > On Thu, Sep 6, 2018 at 8:28 AM, Tycho Andersen wrote: > > The idea here is that the userspace handler should be able to pass an fd > > back to the trapped task, for example so it can be returned from socket(). > > > > I've proposed one API here, but I'm open to other options. In particular, > > this only lets you return an fd from a syscall, which may not be enough in > > all cases. For example, if an fd is written to an output parameter instead > > of returned, the current API can't handle this. Another case is that > > netlink takes as input fds sometimes (IFLA_NET_NS_FD, e.g.). If netlink > > ever decides to install an fd and output it, we wouldn't be able to handle > > this either. > > An alternative could be to have an API (an ioctl on the listener, > perhaps) that just copies an fd into the tracee. There would be the > obvious set of options: do we replace an existing fd or allocate a new > one, and is it CLOEXEC. Then the tracer could add an fd and then > return it just like it's a regular number. > > I feel like this would be more flexible and conceptually simpler, but > maybe a little slower for the common cases. What do you think? I'm just implementing this now, and there's one question: when do we actually do the fd install? Should we do it when the user calls SECCOMP_NOTIF_PUT_FD, or when the actual response is sent? It feels like we should do it when the response is sent, instead of doing it right when SECCOMP_NOTIF_PUT_FD is called, since if there's a subsequent signal and the tracer decides to discard the response, we'll have to implement some delete mechanism to delete the fd, but it would have already been visible to the process, etc. So I'll go forward with this unless there are strong objections, but I thought I'd point it out just to avoid another round trip. Tycho