Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2415805imm;
        Thu, 27 Sep 2018 12:29:11 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63iaTAEwSxd286dU0FtwmajFKVwyOWP1gDGXAvfGMNoiKK8u56yyvZf8idwPapBJPZ2AlJ1
X-Received: by 2002:a17:902:8bc3:: with SMTP id r3-v6mr12410620plo.218.1538076551768;
        Thu, 27 Sep 2018 12:29:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538076551; cv=none;
        d=google.com; s=arc-20160816;
        b=g3GiDrN8xpBOtwEVe0I12VPZU/GMSXVfuT1ytqFDezw8B8VbPhnqpmlrhpr8tv1IuB
         Xr3LD2j1NcLH3S0/IGus8mL8eWFyO8Ry8bsXDmGqUdA/X3tcT4xxacqK8yu3JhvlCMKq
         KNAwTVl4Z0yAwWD+cZYjLgFuPAjITUsOD/f5XGrLJVrFei0qb7D17w4bT2H+E8Eztf6f
         TlF01hk5u7cs/fg1iH58fXcH8WNp5wmlGmxYz2FGCuYzCjRFuFmN5x9SZgec3KJ9w8Fc
         CUUL/NhiVDmIjfa1vjdyhqTf0QmmsCFrvA92sTEJdsnvm121fVLS6lqv9nbShkV6UUc9
         OA/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=/Tt7aG7/5AAYl6fdud2ktru1JKKccWVdcV8TSxRqWpw=;
        b=fPCDJwUF9SZ1eh64+FRsrdR2/K2hCFvK+KH6ZxhWgBXZB9roar4sV6wwfvdGu7jp9I
         ziV6M8phQ9ilL2jxdl+sCA2IjOz2pIC4bIebV981q/sjl/ODpLoQnUdC+eBy7pTjS+SB
         tFn8OFJlZuuzYAwC43CqYRn2s8zjoxYCO5ahGv3gS9Wrm2ycDJa2q2yEqzb/kEmWW9D/
         vmsbVpKJuYcpb5WP8dhX/6urv989QMeDrI45fCs4S5DRsz5eXZDqwXWduTB6WJU+UCTR
         F/+kWm1kM2I1woolu6Cd3hDRS3sUfYfz4aH9qz83il9icMiSvlYzg8aEiAY+kaFZ/pXn
         LOUQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Xw0XF1la;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p14-v6si2688198plo.363.2018.09.27.12.28.56;
        Thu, 27 Sep 2018 12:29:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Xw0XF1la;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728724AbeI1BsY (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Thu, 27 Sep 2018 21:48:24 -0400
Received: from mail-oi1-f195.google.com ([209.85.167.195]:37139 "EHLO
        mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728700AbeI1BsY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Sep 2018 21:48:24 -0400
Received: by mail-oi1-f195.google.com with SMTP id e17-v6so2329788oib.4
        for <linux-kernel@vger.kernel.org>; Thu, 27 Sep 2018 12:28:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=/Tt7aG7/5AAYl6fdud2ktru1JKKccWVdcV8TSxRqWpw=;
        b=Xw0XF1la15hT+fQZ7KfWhWNpINrvsLds4E9go5w7iRHVO9U4wMDrNoHBx5SW/c6t6Y
         3f2vZVsXSjoO1Ktw8HuW1x07MPXAQp/HPrI4smZaKM4fayMaVozezJmk0gp7OnghUF7k
         pQHWuGLFW5eb3Bs3qz8D6AoJL4DHapMgYHBo+sUqfe7PBBNhLC54XGC7VbS0+sJZ3bDh
         ViRRU93+3qr3LhA0xYjpvGz5jPnBI7j2IDlanHY89g7YYOTeAC7foNUUuIyRQJpdHePI
         +XDl37ClIiTXlqcEO8OYcgck751Al1eR6GsUwsLG95jbCFUrA1M+1YzlUt+wTHj2ZU1j
         oPZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=/Tt7aG7/5AAYl6fdud2ktru1JKKccWVdcV8TSxRqWpw=;
        b=UKkycUnlLP2kB1Hq2XAhUi18Ta7M3YBXNQgX2ikQirRWckSyqTWtQJTWE4JHjJzEaq
         KXTJi3BZ3u6rLXwFV+8bIVczVbFx0Xq1EwAmUh2zYV6If1jcLcT0x0WIxVh/S2824bUo
         AMGtGc5klIKhEUxCgI9cd2jNc9oFq55VtlI6j3Do5NCcKMWZ53+8IRwyhvVGaaZvo9U8
         su8kWJ/6iG3bmBCUYN00suf7KT0p6kvhhmi5Ibu62QMGWFCON4HJjSozHIRJRRuPhPJt
         aDmVfXMY2IKYpSTDM7zzmzWU1BDT7UD3X/6dTU+7Ip4A5D+ym1zZV7aKBet5xnoXh9iK
         jRyw==
X-Gm-Message-State: ABuFfojEew+ReUCBib+9jIGqTT/v+L/4SP5DXKdG5ZBMjkTqvKS6k5Dt
        DI+3df7sKHu32JSg/jZJWeUurLbvvJyNl1wyPy+890EaMRgu/uVJ
X-Received: by 2002:aca:c444:: with SMTP id u65-v6mr4048072oif.8.1538076514289;
 Thu, 27 Sep 2018 12:28:34 -0700 (PDT)
MIME-Version: 1.0
References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-6-tycho@tycho.ws>
In-Reply-To: <20180927151119.9989-6-tycho@tycho.ws>
From:   Jann Horn <jannh@google.com>
Date:   Thu, 27 Sep 2018 21:28:07 +0200
Message-ID: <CAG48ez0JY=_fvgy+t92-08kBFgTAZ-3hgAp+OOAwmSd73MJ-QA@mail.gmail.com>
Subject: Re: [PATCH v7 5/6] seccomp: add a way to pass FDs via a notification fd
To:     Tycho Andersen <tycho@tycho.ws>
Cc:     Kees Cook <keescook@chromium.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        containers@lists.linux-foundation.org,
        Linux API <linux-api@vger.kernel.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Oleg Nesterov <oleg@redhat.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Tyler Hicks <tyhicks@canonical.com>,
        suda.akihiro@lab.ntt.co.jp, linux-fsdevel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen <tycho@tycho.ws> wrote:
> This patch adds a way to insert FDs into the tracee's process (also
> close/overwrite fds for the tracee). This functionality is necessary to
> mock things like socketpair() or dup2() or similar, but since it depends on
> external (vfs) patches, I've left it as a separate patch as before so the
> core functionality can still be merged while we argue about this. Except
> this time it doesn't add any ugliness to the API :)
[...]
> +static long seccomp_notify_put_fd(struct seccomp_filter *filter,
> +                                 unsigned long arg)
> +{
> +       struct seccomp_notif_put_fd req;
> +       void __user *buf = (void __user *)arg;
> +       struct seccomp_knotif *knotif = NULL;
> +       long ret;
> +
> +       if (copy_from_user(&req, buf, sizeof(req)))
> +               return -EFAULT;
> +
> +       if (req.fd < 0 && req.to_replace < 0)
> +               return -EINVAL;
> +
> +       ret = mutex_lock_interruptible(&filter->notify_lock);
> +       if (ret < 0)
> +               return ret;
> +
> +       ret = -ENOENT;
> +       list_for_each_entry(knotif, &filter->notif->notifications, list) {
> +               struct file *file = NULL;
> +
> +               if (knotif->id != req.id)
> +                       continue;

Are you intentionally permitting non-SENT states here? It shouldn't
make a big difference, but I think it'd be nice to at least block the
use of notifications in SECCOMP_NOTIFY_REPLIED state.

> +               if (req.fd >= 0)
> +                       file = fget(req.fd);