Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3880481imm; Mon, 8 Oct 2018 11:02:25 -0700 (PDT) X-Google-Smtp-Source: ACcGV63amDHFVkgzLDKhSvZWjL6pTI5/5458EHnWqtQFjX9NmfzCKpGE4Bcq+0k3VR7Td7dVlvFP X-Received: by 2002:a63:d14a:: with SMTP id c10-v6mr22266840pgj.384.1539021745280; Mon, 08 Oct 2018 11:02:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539021745; cv=none; d=google.com; s=arc-20160816; b=RH7Dnp0+0oIP0G1T41fa6tOdT2zos84ZXeYY9Y7rdWHrWn6osSY495dY5MDGVIsdad mP5xlzgAT/lLkRNVjRsRG8BUlnrk8uZf/YstuJOm6+h81DqyHBAlk8IA1mkJLEmnHf0K tD/VXWLADp9QmYffaEHeSzAQgjCRDMFfxUsvxAkdRXd7505Cue2MMwf91+dSNoXiXkk2 pGu3Uvo/aBReiKGAjjZ4wfZx4HABopW4VLhtlkjWDqCFFhslVX7DVx6ZoPIAqHkZs70F 9vTux/73sq86uyqYj2XDMGG7Jw7d1fa8jjUk0SD9zgu8m7eDbEVdnxE/152LVeAVTYJx fpGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ZtJH1QdwhbrgyqiPLe408Wuhlx5dwCE57Yg2TZSlaRg=; b=D9NvE55LDl2Bw1x17OLeE+aDNsSdcYpEjmmJprUDf4lzri56jBJKoWc+K0LUoyD8K9 bBpL+6Vdtc4pXVNxW6sZuDwc4+8TqNaocEG6DfQalqVUvwljAB280X7cyj6CN+3ITu+y D4G5NQGJr8F9X4NE5Wxwe+t4BImc/HDwI0jUkMTVazn37nW8g0XfmO0RnWQc8fSJj+fA /twf1ktp4gjk6nBD3v26pxCS4QMGZgRObZE4KWuuxQa/MeXqkgzpcvr8sc6tpS/vD6VV ELGeH++khkOnrOzoKTDogeAsNUI5SM71V0TApbec40amgf+rRxkwoXxKFG5eafWctKbY YGow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=jhazeqZN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q61-v6si18470720plb.231.2018.10.08.11.02.09; Mon, 08 Oct 2018 11:02:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=jhazeqZN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726525AbeJIBNj (ORCPT + 99 others); Mon, 8 Oct 2018 21:13:39 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:42680 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726483AbeJIBNj (ORCPT ); Mon, 8 Oct 2018 21:13:39 -0400 Received: by mail-pl1-f193.google.com with SMTP id c8-v6so10403896plo.9 for ; Mon, 08 Oct 2018 11:00:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ZtJH1QdwhbrgyqiPLe408Wuhlx5dwCE57Yg2TZSlaRg=; b=jhazeqZN7YVVBOeeSzlL77MTMuKYSaAzepyy9UAEIi8rZOl6vaMkaBy05TPCRo65hU 0Xfj9frQTtO6QsenGHEe92gmN/n+AvORVmnWssn/OPEsyZliO7SmYkqqnCT4nOl8j4qJ 9Ddnw1pJJWVbPymtVOPIQAGDXYWsra6jbI16Wa9Eo1iBDcfpNJ1P6A1ZaYb+H+dPko8M gV0b/HfragCFvj93ZKRqNQHq7iipCS3TAaz6BolJZ2sFpqT4AGoFCGGpAsWH4rYC8UtT sHPEsvq/L6QQ6JmzQPt/8lsU9BGm7vq1WJQvmcoATHKuiiRJ09DrrBiwGfwUxT2Aislr rUnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ZtJH1QdwhbrgyqiPLe408Wuhlx5dwCE57Yg2TZSlaRg=; b=VnRqetT6rvSMv/u+/Sw/weqP4DGa8nPRCBNxeD8sXpdCumAwuIGbVQNZu7FIxX8KZs qnJZ6HpwFD8O7AjTOsWdkHyc8O0AROlQ+tbnNVIEvG/tHU+plhZRFVpceSx8S8nB/Brp HqwhQiToIQbZiUs1rxHV03BkXZph1NKSglrtbnrcA1KD3qFgEVsAjoDjpe0oXE58tqnv 2UDBQk4nEKu6mIPcqtInZE2xwYNmODXgUp4qzS5Dl7n7PaRKYZR+tNhpHGVZd01BdQD+ EUHR5RSKL/13VuJJiwaqbu47UrmFxiGzh+NAYeMUpTqhfBnwnU6TqaaRC2y4KwDE92P/ ZfQA== X-Gm-Message-State: ABuFfogHK2lGXfHp2G3pnAFy3tPNVePzxDf70GBNYY//lQ9fWWnZUeEQ njCN7X72mc0gNsrhyieTiR/5cYQPKGPWSw== X-Received: by 2002:a17:902:d90e:: with SMTP id c14-v6mr25265369plz.61.1539021645795; Mon, 08 Oct 2018 11:00:45 -0700 (PDT) Received: from cisco.lan ([2001:420:28e:1260:c7c:88c5:50e7:459f]) by smtp.gmail.com with ESMTPSA id h5-v6sm23488305pfo.135.2018.10.08.11.00.43 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Oct 2018 11:00:44 -0700 (PDT) Date: Mon, 8 Oct 2018 12:00:43 -0600 From: Tycho Andersen To: Christian Brauner Cc: Kees Cook , Jann Horn , linux-api@vger.kernel.org, containers@lists.linux-foundation.org, Akihiro Suda , Oleg Nesterov , linux-kernel@vger.kernel.org, "Eric W . Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , Andy Lutomirski Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace Message-ID: <20181008180043.GE28238@cisco.lan> References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-4-tycho@tycho.ws> <20181008151629.hkgzzsluevwtuclw@brauner.io> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181008151629.hkgzzsluevwtuclw@brauner.io> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 08, 2018 at 05:16:30PM +0200, Christian Brauner wrote: > On Thu, Sep 27, 2018 at 09:11:16AM -0600, Tycho Andersen wrote: > > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace() > > version which can acquire filters is useful. There are at least two reasons > > this is preferable, even though it uses ptrace: > > > > 1. You can control tasks that aren't cooperating with you > > 2. You can control tasks whose filters block sendmsg() and socket(); if the > > task installs a filter which blocks these calls, there's no way with > > SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task. > > So for the slow of mind aka me: > I'm not sure I completely understand this problem. Can you outline how > sendmsg() and socket() are involved in this? > > I'm also not sure that this holds (but I might misunderstand the > problem) afaict, you could do try to get the fd out via CLONE_FILES and > other means so something like: > > // let's pretend the libc wrapper for clone actually has sane semantics > pid = clone(CLONE_FILES); > if (pid == 0) { > fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog); > > // Now this fd will be valid in both parent and child. > // If you haven't blocked it you can inform the parent what > // the fd number is via pipe2(). If you have blocked it you can > // use dup2() and dup to a known fd number. > } But what if your seccomp filter wants to block both pipe2() and dup2()? Whatever syscall you want to use to do this could be blocked by some seccomp policy, which means you might not be able to use this feature in some cases. Perhaps it's unlikely, and we can just go forward knowing this. But it seems like it is worth at least acknowledging that you can wedge yourself into a corner. Tycho