Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2415805imm; Thu, 27 Sep 2018 12:29:11 -0700 (PDT) X-Google-Smtp-Source: ACcGV63iaTAEwSxd286dU0FtwmajFKVwyOWP1gDGXAvfGMNoiKK8u56yyvZf8idwPapBJPZ2AlJ1 X-Received: by 2002:a17:902:8bc3:: with SMTP id r3-v6mr12410620plo.218.1538076551768; Thu, 27 Sep 2018 12:29:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538076551; cv=none; d=google.com; s=arc-20160816; b=g3GiDrN8xpBOtwEVe0I12VPZU/GMSXVfuT1ytqFDezw8B8VbPhnqpmlrhpr8tv1IuB Xr3LD2j1NcLH3S0/IGus8mL8eWFyO8Ry8bsXDmGqUdA/X3tcT4xxacqK8yu3JhvlCMKq KNAwTVl4Z0yAwWD+cZYjLgFuPAjITUsOD/f5XGrLJVrFei0qb7D17w4bT2H+E8Eztf6f TlF01hk5u7cs/fg1iH58fXcH8WNp5wmlGmxYz2FGCuYzCjRFuFmN5x9SZgec3KJ9w8Fc CUUL/NhiVDmIjfa1vjdyhqTf0QmmsCFrvA92sTEJdsnvm121fVLS6lqv9nbShkV6UUc9 OA/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/Tt7aG7/5AAYl6fdud2ktru1JKKccWVdcV8TSxRqWpw=; b=fPCDJwUF9SZ1eh64+FRsrdR2/K2hCFvK+KH6ZxhWgBXZB9roar4sV6wwfvdGu7jp9I ziV6M8phQ9ilL2jxdl+sCA2IjOz2pIC4bIebV981q/sjl/ODpLoQnUdC+eBy7pTjS+SB tFn8OFJlZuuzYAwC43CqYRn2s8zjoxYCO5ahGv3gS9Wrm2ycDJa2q2yEqzb/kEmWW9D/ vmsbVpKJuYcpb5WP8dhX/6urv989QMeDrI45fCs4S5DRsz5eXZDqwXWduTB6WJU+UCTR F/+kWm1kM2I1woolu6Cd3hDRS3sUfYfz4aH9qz83il9icMiSvlYzg8aEiAY+kaFZ/pXn LOUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Xw0XF1la; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p14-v6si2688198plo.363.2018.09.27.12.28.56; Thu, 27 Sep 2018 12:29:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Xw0XF1la; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728724AbeI1BsY (ORCPT + 99 others); Thu, 27 Sep 2018 21:48:24 -0400 Received: from mail-oi1-f195.google.com ([209.85.167.195]:37139 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728700AbeI1BsY (ORCPT ); Thu, 27 Sep 2018 21:48:24 -0400 Received: by mail-oi1-f195.google.com with SMTP id e17-v6so2329788oib.4 for ; Thu, 27 Sep 2018 12:28:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Tt7aG7/5AAYl6fdud2ktru1JKKccWVdcV8TSxRqWpw=; b=Xw0XF1la15hT+fQZ7KfWhWNpINrvsLds4E9go5w7iRHVO9U4wMDrNoHBx5SW/c6t6Y 3f2vZVsXSjoO1Ktw8HuW1x07MPXAQp/HPrI4smZaKM4fayMaVozezJmk0gp7OnghUF7k pQHWuGLFW5eb3Bs3qz8D6AoJL4DHapMgYHBo+sUqfe7PBBNhLC54XGC7VbS0+sJZ3bDh ViRRU93+3qr3LhA0xYjpvGz5jPnBI7j2IDlanHY89g7YYOTeAC7foNUUuIyRQJpdHePI +XDl37ClIiTXlqcEO8OYcgck751Al1eR6GsUwsLG95jbCFUrA1M+1YzlUt+wTHj2ZU1j oPZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Tt7aG7/5AAYl6fdud2ktru1JKKccWVdcV8TSxRqWpw=; b=UKkycUnlLP2kB1Hq2XAhUi18Ta7M3YBXNQgX2ikQirRWckSyqTWtQJTWE4JHjJzEaq KXTJi3BZ3u6rLXwFV+8bIVczVbFx0Xq1EwAmUh2zYV6If1jcLcT0x0WIxVh/S2824bUo AMGtGc5klIKhEUxCgI9cd2jNc9oFq55VtlI6j3Do5NCcKMWZ53+8IRwyhvVGaaZvo9U8 su8kWJ/6iG3bmBCUYN00suf7KT0p6kvhhmi5Ibu62QMGWFCON4HJjSozHIRJRRuPhPJt aDmVfXMY2IKYpSTDM7zzmzWU1BDT7UD3X/6dTU+7Ip4A5D+ym1zZV7aKBet5xnoXh9iK jRyw== X-Gm-Message-State: ABuFfojEew+ReUCBib+9jIGqTT/v+L/4SP5DXKdG5ZBMjkTqvKS6k5Dt DI+3df7sKHu32JSg/jZJWeUurLbvvJyNl1wyPy+890EaMRgu/uVJ X-Received: by 2002:aca:c444:: with SMTP id u65-v6mr4048072oif.8.1538076514289; Thu, 27 Sep 2018 12:28:34 -0700 (PDT) MIME-Version: 1.0 References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-6-tycho@tycho.ws> In-Reply-To: <20180927151119.9989-6-tycho@tycho.ws> From: Jann Horn Date: Thu, 27 Sep 2018 21:28:07 +0200 Message-ID: Subject: Re: [PATCH v7 5/6] seccomp: add a way to pass FDs via a notification fd To: Tycho Andersen Cc: Kees Cook , kernel list , containers@lists.linux-foundation.org, Linux API , Andy Lutomirski , Oleg Nesterov , "Eric W. Biederman" , "Serge E. Hallyn" , Christian Brauner , Tyler Hicks , suda.akihiro@lab.ntt.co.jp, linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 27, 2018 at 5:11 PM Tycho Andersen wrote: > This patch adds a way to insert FDs into the tracee's process (also > close/overwrite fds for the tracee). This functionality is necessary to > mock things like socketpair() or dup2() or similar, but since it depends on > external (vfs) patches, I've left it as a separate patch as before so the > core functionality can still be merged while we argue about this. Except > this time it doesn't add any ugliness to the API :) [...] > +static long seccomp_notify_put_fd(struct seccomp_filter *filter, > + unsigned long arg) > +{ > + struct seccomp_notif_put_fd req; > + void __user *buf = (void __user *)arg; > + struct seccomp_knotif *knotif = NULL; > + long ret; > + > + if (copy_from_user(&req, buf, sizeof(req))) > + return -EFAULT; > + > + if (req.fd < 0 && req.to_replace < 0) > + return -EINVAL; > + > + ret = mutex_lock_interruptible(&filter->notify_lock); > + if (ret < 0) > + return ret; > + > + ret = -ENOENT; > + list_for_each_entry(knotif, &filter->notif->notifications, list) { > + struct file *file = NULL; > + > + if (knotif->id != req.id) > + continue; Are you intentionally permitting non-SENT states here? It shouldn't make a big difference, but I think it'd be nice to at least block the use of notifications in SECCOMP_NOTIFY_REPLIED state. > + if (req.fd >= 0) > + file = fget(req.fd);