Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp2041889ima; Mon, 22 Oct 2018 03:15:23 -0700 (PDT) X-Google-Smtp-Source: AJdET5fSgEq0uCJPmB3oCifiel53eINPnHIPV3LfbUOiq/h2b6Ly6yE6hx68yMfuI/cViNG+DKr/ X-Received: by 2002:a17:902:aa8d:: with SMTP id d13-v6mr2025302plr.74.1540203323119; Mon, 22 Oct 2018 03:15:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540203323; cv=none; d=google.com; s=arc-20160816; b=jv8e7tGHZCdQZSlQGZ2HfC9gkp1GGYZltObTI/f8i2YkrMrtIthDOXdKwwd7EGiyo/ KQoY14QvQT14tblFPHMuURRu2V4h9kK4Te/syHgzeXfajutqoL3NWi3NVJXmWDDqNHy+ HeFPEtfV3HVDIuoPmAq0SrGRg4mGLXl8zj7ZjndGOjKKsYC8YrRFyKccw933JKnA9dZp 6eOakU/QXkjya3lqnCV5LlPO3a12vTA1rr8DelePU7HUqSY19ID6gpWvPOCRBSEmGIYm lZ/y9/esssS3pqrGGe5uAcc9AfEXb4XJdBXuymEVYj07KDJefsF/YOkGrJEMVM1705nJ SQ6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=KWKmse8a4tt4dj9gO+OCYFTgYGfwesV1BTfj6SJjFBc=; b=ivTGw5OTbh4+L9R/ggGmJlDYz7U9hgyjouTeLiPCNPBr3LPyWOAsR5foKJ2KBYGzXH r2bxCCEPvGr+vSGajXQz0tMTabcsHRHhHeKVOsJJeicmNlpOfxtHIsT7vMaMqUcB8u1Y IfY0G5cMLoQ2zfVngIX4B39QkYXyHvdfFvwccL5yshY9yOxJULY54OWRY1SMcQ0v7/SL JOsOOYGsqHQpaN7UrpFJdBkAq5aQvYpqQgj6ziTR3UqsB+ppmaBfXd9EOSVLFHcO7AEe wwP6zcI2L2Ilh9kzp8HlkllY8v/apC3q7Qmt22alE2/rlv1tk5bipY2yv1Uj+NzycZ1K qgFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=UHG4oHIo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c141-v6si32393620pfb.78.2018.10.22.03.15.08; Mon, 22 Oct 2018 03:15:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=UHG4oHIo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728498AbeJVSAl (ORCPT + 99 others); Mon, 22 Oct 2018 14:00:41 -0400 Received: from mail-wr1-f66.google.com ([209.85.221.66]:43586 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728348AbeJVSAl (ORCPT ); Mon, 22 Oct 2018 14:00:41 -0400 Received: by mail-wr1-f66.google.com with SMTP id t10-v6so2598805wrn.10 for ; Mon, 22 Oct 2018 02:42:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=KWKmse8a4tt4dj9gO+OCYFTgYGfwesV1BTfj6SJjFBc=; b=UHG4oHIoiAOS7ywsNzXbgzOKhA15XUX4qm7whkiX/wsrGBubLK5eRA/AB9DWcddRQj JGlhgNsAzHtfdb6QhyQLH4wQVPBnLmm1k31X3XwEAEH4hNuGUcWCcfBzrVRvXS9CCDlq IarInq/gxumNZoGQXRRy+nqKg1yz+VPQ6Kw4l/k3nOUmMK8XlaxGhLZHm7SGAmWpVT7O B8D13s3Vnda1/1ePf9U2KKfLEhh1uPIV+HVqiREEVqqrySaagmM07kIuthl8jWN7IJ+V FYedsg3q0MHEcQMcyeNl01qzEcjPGPZ5iBKwLrkXlqV29k0v0Oiki5uSyfYKFXKxzdfT Tcow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=KWKmse8a4tt4dj9gO+OCYFTgYGfwesV1BTfj6SJjFBc=; b=sVQFkHRcTFy/H4Cm3xYRvVJfXD56Zq9aFnK7YBwxjIzAeHlVEkD26qktzhEvtoUc7+ EIWLjYfLuyZ9QQPRqn+mDZulZutTAeXZBOD/6WLBMDo2/udnyhAppGmQfBxI0SNLSlPM EMpveP4S3NUpGUswRvBmdjXL/wwYHZUtJkFCu6s7TrUaFgTPURyvE4huXn4ZTljZPaNd j22btopmJ1CN9sYedhp5TSRQ7hxRJO8z7jU7TDuyJkvy1qQSvsgMp+4qaZSoSb79z2w6 vsy7iy1nb6Ll4WMq58YApkwZF4coQdOzyV24fiQ3mFDLyQ8qTXOkMu6iYUyrtnoCteQA 1Rjw== X-Gm-Message-State: ABuFfog9nIsB/JW60qxg0xKyZzUAZ8k84fGTj3056OAeig84Imir1TgV GlBTJgA9nVpZSb8v6WoICZw2eA== X-Received: by 2002:adf:b211:: with SMTP id u17-v6mr42714249wra.180.1540201371789; Mon, 22 Oct 2018 02:42:51 -0700 (PDT) Received: from brauner.io ([185.7.230.214]) by smtp.gmail.com with ESMTPSA id g186-v6sm11550570wmf.19.2018.10.22.02.42.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 22 Oct 2018 02:42:48 -0700 (PDT) Date: Mon, 22 Oct 2018 11:42:41 +0200 From: Christian Brauner To: Tycho Andersen Cc: Kees Cook , Jann Horn , Linux API , Linux Containers , Akihiro Suda , Oleg Nesterov , LKML , "Eric W . Biederman" , "linux-fsdevel@vger.kernel.org" , Christian Brauner , Andy Lutomirski Subject: Re: [PATCH v7 1/6] seccomp: add a return code to trap to userspace Message-ID: <20181022094240.mp7pd2m2abyttrfb@brauner.io> References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-2-tycho@tycho.ws> <20181017202933.GB14047@cisco> <20181021160437.GB25202@cisco> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20181021160437.GB25202@cisco> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 21, 2018 at 05:04:37PM +0100, Tycho Andersen wrote: > On Wed, Oct 17, 2018 at 03:21:02PM -0700, Kees Cook wrote: > > On Wed, Oct 17, 2018 at 1:29 PM, Tycho Andersen wrote: > > > On Thu, Sep 27, 2018 at 02:31:24PM -0700, Kees Cook wrote: > > >> On Thu, Sep 27, 2018 at 8:11 AM, Tycho Andersen wrote: > > >> > @@ -60,4 +62,29 @@ struct seccomp_data { > > >> > __u64 args[6]; > > >> > }; > > >> > > > >> > +struct seccomp_notif { > > >> > + __u16 len; > > >> > + __u64 id; > > >> > + __u32 pid; > > >> > + __u8 signaled; > > >> > + struct seccomp_data data; > > >> > +}; > > >> > + > > >> > +struct seccomp_notif_resp { > > >> > + __u16 len; > > >> > + __u64 id; > > >> > + __s32 error; > > >> > + __s64 val; > > >> > +}; > > >> > > >> So, len has to come first, for versioning. However, since it's ahead > > >> of a u64, this leaves a struct padding hole. pahole output: > > >> > > >> struct seccomp_notif { > > >> __u16 len; /* 0 2 */ > > >> > > >> /* XXX 6 bytes hole, try to pack */ > > >> > > >> __u64 id; /* 8 8 */ > > >> __u32 pid; /* 16 4 */ > > >> __u8 signaled; /* 20 1 */ > > >> > > >> /* XXX 3 bytes hole, try to pack */ > > >> > > >> struct seccomp_data data; /* 24 64 */ > > >> /* --- cacheline 1 boundary (64 bytes) was 24 bytes ago --- */ > > >> > > >> /* size: 88, cachelines: 2, members: 5 */ > > >> /* sum members: 79, holes: 2, sum holes: 9 */ > > >> /* last cacheline: 24 bytes */ > > >> }; > > >> struct seccomp_notif_resp { > > >> __u16 len; /* 0 2 */ > > >> > > >> /* XXX 6 bytes hole, try to pack */ > > >> > > >> __u64 id; /* 8 8 */ > > >> __s32 error; /* 16 4 */ > > >> > > >> /* XXX 4 bytes hole, try to pack */ > > >> > > >> __s64 val; /* 24 8 */ > > >> > > >> /* size: 32, cachelines: 1, members: 4 */ > > >> /* sum members: 22, holes: 2, sum holes: 10 */ > > >> /* last cacheline: 32 bytes */ > > >> }; > > >> > > >> How about making len u32, and moving pid and error above "id"? This > > >> leaves a hole after signaled, so changing "len" won't be sufficient > > >> for versioning here. Perhaps move it after data? > > > > > > Just to confirm my understanding; I've got these as: > > > > > > struct seccomp_notif { > > > __u32 len; /* 0 4 */ > > > __u32 pid; /* 4 4 */ > > > __u64 id; /* 8 8 */ > > > __u8 signaled; /* 16 1 */ > > > > > > /* XXX 7 bytes hole, try to pack */ > > > > > > struct seccomp_data data; /* 24 64 */ > > > /* --- cacheline 1 boundary (64 bytes) was 24 bytes ago --- */ > > > > > > /* size: 88, cachelines: 2, members: 5 */ > > > /* sum members: 81, holes: 1, sum holes: 7 */ > > > /* last cacheline: 24 bytes */ > > > }; > > > struct seccomp_notif_resp { > > > __u32 len; /* 0 4 */ > > > __s32 error; /* 4 4 */ > > > __u64 id; /* 8 8 */ > > > __s64 val; /* 16 8 */ > > > > > > /* size: 24, cachelines: 1, members: 4 */ > > > /* last cacheline: 24 bytes */ > > > }; > > > > > > in the next version. Since the structure has no padding at the end of > > > it, I think the Right Thing will happen. Note that this is slightly > > > different than what Kees suggested, if I add signaled after data, then > > > I end up with: > > > > > > struct seccomp_notif { > > > __u32 len; /* 0 4 */ > > > __u32 pid; /* 4 4 */ > > > __u64 id; /* 8 8 */ > > > struct seccomp_data data; /* 16 64 */ > > > /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ > > > __u8 signaled; /* 80 1 */ > > > > > > /* size: 88, cachelines: 2, members: 5 */ > > > /* padding: 7 */ > > > /* last cacheline: 24 bytes */ > > > }; > > > > > > which I think will have the versioning problem if the next member > > > introduces is < 7 bytes. > > > > It'll be a problem in either place. What I was thinking was that > > specific versioning is required instead of just length. > > Euh, so I implemented this, and it sucks :). It's ugly, and generally > feels bad. > > What if instead we just get rid of versioning all together, and > instead introduce a u32 flags? We could have one flag right now > (SECCOMP_NOTIF_FLAG_SIGNALED), and use introduce others as we add more > information to the response. Then we can add > SECCOMP_NOTIF_FLAG_EXTRA_FOO, and add another SECCOMP_IOCTL_GET_FOO to > grab the info? > > FWIW, it's not really clear to me that we'll ever add anything to the > response since hopefully we'll land PUT_FD, so maybe this is all moot > anyway. I guess the only argument against a flag would be that you run out of bits quickly if your interface grows (cf. mount, netlink etc.). But this is likely not a concern here. I actually think that the way vfs capabilities are done is pretty nice. By accident or design they allow transparent translation between old and new formats in-kernel. So would be cool if we can have the same guarantee for this interface. Christian