Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1209276imm; Wed, 10 Oct 2018 10:46:35 -0700 (PDT) X-Google-Smtp-Source: ACcGV61BO70fiRcVu+NX9hk2QseV1bO4I7Z7ar/eyoRdxzmDhLiQ3bMBrfDm58GoELGRv9bCN4wv X-Received: by 2002:a63:1b61:: with SMTP id b33-v6mr7245263pgm.245.1539193595801; Wed, 10 Oct 2018 10:46:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539193595; cv=none; d=google.com; s=arc-20160816; b=HfuWN5GxldmYbPxHN4eCHzmM5Uig4mXJMwBs30FH7a3AHREO1XKO9kq7W8dxxOERhj gpCv4J0v3Z9fxLSNQQWNe+F9WqNfdaW+DOpCEcVGBuuCxuoLrglooqptQaQ28+8cv5ty rrGTfmx/1lHJGaFv7rsg2TRoIJDd2ofZuM3uiftw05nh1UY02y8I0bnTs+MWaDX9yTUM PmO442rMnGq7Xp792KUx3thgHlKAEkwScHhS7AS4YVLO5+/IHbuWwKEr7nKNcSDbyR0M UKAIChYw1rjF3ZOsOSdHzaGFRFaABmAP/Bflyv4qrorPabqo10d0BTuqIXOVQ5QiE/u2 EnAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=twvXee+ZkXSW/lskOcIxV+SOvNLvv8J3pTzYe6+z5XA=; b=v5FdYSC5eIcdxU/iY3WB/ITduWGi7A0PTMYlov++6t4OUbpq3P5+fWsI0upHIy1kX1 bnqXfa72nh3SKNwzvTLDzw6jTQAYrV4FqtxAMPydYT8RF8Hj+5a+xnIhwVsyhb4mzb27 onqFkYvchpeZpCj4F4j8aySlVpkL7gez+zZDxoEDov/Y2pZogwyQS79z25ezAoQlt2kQ YKoqEfwyYLDeOlHSjA7SFpGzd4MnReekPm390gEiMQnZjXW/g7YQdAVyXySfYOJeUqPN pIJn+RM05gDJYyjkEK/t//G0UQgTTHQJnLKkE+IYfVGLWMKrAQ/tjRavkxj8detORfn5 oJuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=pS6dmdPq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v10-v6si24351414pgg.216.2018.10.10.10.46.18; Wed, 10 Oct 2018 10:46:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=pS6dmdPq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726775AbeJKBI5 (ORCPT + 99 others); Wed, 10 Oct 2018 21:08:57 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:54219 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726567AbeJKBI4 (ORCPT ); Wed, 10 Oct 2018 21:08:56 -0400 Received: by mail-wm1-f66.google.com with SMTP id y11-v6so6378251wma.3 for ; Wed, 10 Oct 2018 10:45:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=twvXee+ZkXSW/lskOcIxV+SOvNLvv8J3pTzYe6+z5XA=; b=pS6dmdPqgWNW/gWzX9hZD9NnZ/K+uMa4XqvBRURuZNSDGXwsAq5L5CcGagCFyCZRsO Qb5Rcf/ze8bG0Ej+ON+uuAtyH5q7KVrZgbhecjf/9ByqWYSDex3Ig2RtxQ9R+5mkXn1t 8Aq253p5oPHNpVh50ti4CbLJjh1ZkaoUzofyKYwqeRBsFK78wQ8PwOeCfuP7GsEkxuEn fUfFsyheOVnD3xQjBctofhWUZSKfNMCQZWA7NOOHaqCLJSon7J5DoKSRPuXypIiDnux/ k12y62WtOY5VAlKDgX9ittjGTIfxfDwoMa1PdQbFA/ryB8SmqBglGsW5d5a3s1/LnkBn FtCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=twvXee+ZkXSW/lskOcIxV+SOvNLvv8J3pTzYe6+z5XA=; b=IcdltRjdJ7HIcZzZwJevALCvI/3OZLRraSvcz1RXljozbLkR3u6rgQP6uiB4u3TVZ6 5DGBisgn6JO9kfgWc7wR4ynauA5HcXeiW4e9njb5YCBWkXXdys7a+ui35tHIhSXForgb Yf0WDGp9je97iHFRrGSkBwQRz2mYP3YqyRoCqK4U1INJ6rezePF7IQjn4gXI/b0nWQ/J HDFZzBpud5qiSoSYOF+ALCPys8QNKk1CNgfONjScntEmgbmdsHH83a0iOQLDHmokupJh hcNBhQtb4d5Z26H6ICtiN2FlCwV2J2icKN7esg2UKpfptU+lnNBVgXA1Ajasb7/nMDsf Ypdw== X-Gm-Message-State: ABuFfoiGPPWrFvFsryl2bwADMPOv1oKDaIW9ZBono2xWNOPON/WPrmKz x0fnoWEnelAEOmgT+2/TXSO2WOd0dTtBQPUHkJfW5g== X-Received: by 2002:a1c:4054:: with SMTP id n81-v6mr1796541wma.82.1539193542092; Wed, 10 Oct 2018 10:45:42 -0700 (PDT) MIME-Version: 1.0 References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-4-tycho@tycho.ws> <20181008151629.hkgzzsluevwtuclw@brauner.io> <20181008180043.GE28238@cisco.lan> In-Reply-To: <20181008180043.GE28238@cisco.lan> From: Andy Lutomirski Date: Wed, 10 Oct 2018 10:45:29 -0700 Message-ID: Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace To: Tycho Andersen Cc: Christian Brauner , Kees Cook , Jann Horn , Linux API , Linux Containers , Akihiro Suda , Oleg Nesterov , LKML , "Eric W. Biederman" , Linux FS Devel , Christian Brauner Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 8, 2018 at 11:00 AM Tycho Andersen wrote: > > On Mon, Oct 08, 2018 at 05:16:30PM +0200, Christian Brauner wrote: > > On Thu, Sep 27, 2018 at 09:11:16AM -0600, Tycho Andersen wrote: > > > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace() > > > version which can acquire filters is useful. There are at least two reasons > > > this is preferable, even though it uses ptrace: > > > > > > 1. You can control tasks that aren't cooperating with you > > > 2. You can control tasks whose filters block sendmsg() and socket(); if the > > > task installs a filter which blocks these calls, there's no way with > > > SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task. > > > > So for the slow of mind aka me: > > I'm not sure I completely understand this problem. Can you outline how > > sendmsg() and socket() are involved in this? > > > > I'm also not sure that this holds (but I might misunderstand the > > problem) afaict, you could do try to get the fd out via CLONE_FILES and > > other means so something like: > > > > // let's pretend the libc wrapper for clone actually has sane semantics > > pid = clone(CLONE_FILES); > > if (pid == 0) { > > fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog); > > > > // Now this fd will be valid in both parent and child. > > // If you haven't blocked it you can inform the parent what > > // the fd number is via pipe2(). If you have blocked it you can > > // use dup2() and dup to a known fd number. > > } > > But what if your seccomp filter wants to block both pipe2() and > dup2()? Whatever syscall you want to use to do this could be blocked > by some seccomp policy, which means you might not be able to use this > feature in some cases. You don't need a syscall at all. You can use shared memory. > > Perhaps it's unlikely, and we can just go forward knowing this. But it > seems like it is worth at least acknowledging that you can wedge > yourself into a corner. > I think that what we *really* want is a way to create a seccomp fitter and activate it later (on execve or via another call to seccomp(), perhaps). And we already sort of have that using ptrace() but a better interface would be nice when a real use case gets figured out.