Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5273983imd; Tue, 30 Oct 2018 14:55:27 -0700 (PDT) X-Google-Smtp-Source: AJdET5dwYibuegTJ8WisHC07IC9/s0bFfUs3GqHHsnb6+cviJG9w8WZtD9GmYYofYbllcKvRbB1u X-Received: by 2002:a63:cc51:: with SMTP id q17-v6mr419241pgi.291.1540936526944; Tue, 30 Oct 2018 14:55:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540936526; cv=none; d=google.com; s=arc-20160816; b=ciVPLZ1FP8bJSy/BdPQXo+VDazQHyUzYR5SYL0gE21Dm0Hqb/INrMcRIlZP6ZrHx0k +bfdoQCKPmH/iWcZhBTFwT/sd1Bk0wn+s1/3BaX4I/yD5Frcji7vHF2Vb0JlUU9MyfDJ leVI0iIFiBi3IUpI65BJYemVgVFsWMbWJcxPaTIWjGGV9ARsTXVmvp2fSumA974vCdeG FNei2cbEwQuora2iAxNXLpysu6TtVAHefLdNr6ViLY3+hV/D0kD9V9QwQzoTCtUuSPuC jDqsE5CScmd7k94EVheJbDKY1abObNXnTO24Jlazy9rxFDdMmwwpMgQ95iMfpqzYrP+J 1zCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=Rew2gv4nVpDtTMnjKCCNmg5kcJfYNGTT9ybPrEx+zJQ=; b=yTi1ukucDrbgvL523ZycBum8WDD+rQVi31vvdnoE+Y4t68D9g52M8tEz2xLFg+0oj9 +z52riJxtI7nKX9cyaSrhCnfVxZ5D0qfKMLdmrp/XPfxPS5K0brJ43BwwuXXvfn3qR03 S7mzozTnhYLSOf3KtogutU74s2sKYkzsQK95l3R18ihgx4yGcUQ2kJGnIHaALlXinJ7l LICRTmgnPJsb0n8ukIYWbZJI6IZQO1cpKGidkeZmfXoETTVWyQv5xIwQaOCjm/tm1CuZ p3hUsyd5kb/DpNRlfDckaeE/lRJpKIOzsnr42nxIbLxyayN99FWT7bbPXEOR8ApCnLLc nN3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=y30ofgft; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5-v6si24993542pgg.559.2018.10.30.14.55.10; Tue, 30 Oct 2018 14:55:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=y30ofgft; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728098AbeJaGtU (ORCPT + 99 others); Wed, 31 Oct 2018 02:49:20 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:43943 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725743AbeJaGtU (ORCPT ); Wed, 31 Oct 2018 02:49:20 -0400 Received: by mail-pg1-f196.google.com with SMTP id n10-v6so6311822pgv.10 for ; Tue, 30 Oct 2018 14:54:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Rew2gv4nVpDtTMnjKCCNmg5kcJfYNGTT9ybPrEx+zJQ=; b=y30ofgftD0wIeQyusVx0RfEuXqttEXrfgimH/kIKElSYpGPd+eTZWstqQPjcWcbEat a6AgsyGckFFVgcaNoneYihXEWf8Uk7c7sCtZAoZdNx4WfhPj+9qbPODLd+n7EdVzLF2C sA+9J/Al0oFrfKkxskDlAqwoQ5PHAzlT87RhRfrZS6KaocRnb4Rd0vEPH70NpNEbAxAn uBG1yVG3Q1Vy29entfqF/rbEJxNI6jhwpACjyr3tA9CRx6vZZTGLWgBCNjfShR1p8ZKu 4GjwOTGoumN829cd/+BA8HFLoUGs03eA4FNhCf7G082xHWEXR4zYK4jbzE9qrOhk2Q/h TNTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Rew2gv4nVpDtTMnjKCCNmg5kcJfYNGTT9ybPrEx+zJQ=; b=WaMrjw79gh2BuYEGcpXC49oCYMU6AjxnDMJOYY7nzacRCepMig/uJR9RJiRFxLo1hp sFNwFfv7cMm4mKydJoGzWZ7DQ3+A82E+8xirzEeB47B3fHypkcpZ99sLzrpHlfCU8V3j QmncbzIH9vhbPvuL0f65siUiAon+IfpyGv1QLiKi5ugfSHU9Rbs02ljqH3N6nVm9Uwof SUqmPAt3tPvDYhgqVsfG/8W0sjrYUYz2kbafaM55g/wMCENnQeA5FdFlHKDk2vEZPfiu uwOQwbjbTa8Bp/MmjbHQADfZnv0kDFRk+U92TTAkNaRglvGyE6KGXFr2UzS3OOVeM9lc z6ZQ== X-Gm-Message-State: AGRZ1gL+NgePr40+Im4M8511DGgsnBSRq9kYV2lt3ybT0jF8mHoSnTkQ kTnCp+RI2xSovX7yVJ7hkAC0LQ== X-Received: by 2002:a63:2586:: with SMTP id l128mr475518pgl.104.1540936448037; Tue, 30 Oct 2018 14:54:08 -0700 (PDT) Received: from cisco ([128.107.241.161]) by smtp.gmail.com with ESMTPSA id d2-v6sm44579313pfj.122.2018.10.30.14.54.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 30 Oct 2018 14:54:07 -0700 (PDT) Date: Tue, 30 Oct 2018 15:54:04 -0600 From: Tycho Andersen To: Kees Cook Cc: Andy Lutomirski , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Aleksa Sarai , LKML , Linux Containers , Linux API Subject: Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace Message-ID: <20181030215404.GF7343@cisco> References: <20181029224031.29809-1-tycho@tycho.ws> <20181029224031.29809-2-tycho@tycho.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 30, 2018 at 02:49:21PM -0700, Kees Cook wrote: > On Mon, Oct 29, 2018 at 3:40 PM, Tycho Andersen wrote: > > * switch to a flags based future-proofing mechanism for struct > > seccomp_notif and seccomp_notif_resp, thus avoiding version issues > > with structure length (Kees) > [...] > > > > +struct seccomp_notif { > > + __u64 id; > > + __u32 pid; > > + __u32 flags; > > + struct seccomp_data data; > > +}; > > + > > +struct seccomp_notif_resp { > > + __u64 id; > > + __s64 val; > > + __s32 error; > > + __u32 flags; > > +}; > > Hrm, so, what's the plan for when struct seccomp_data changes size? I guess my plan was don't ever change the size again, just use flags and have extra state available via ioctl(). > I'm realizing that it might be "too late" for userspace to discover > it's running on a newer kernel. i.e. it gets a user notification, and > discovers flags it doesn't know how to handle. Do we actually need > both flags AND a length? Designing UAPI is frustrating! :) :). I don't see this as such a big problem -- in fact it's better than the length mode, where you don't know what you don't know, because it only copied as much info as you could handle. Older userspace would simply not use information it didn't know how to use. > Do we need another ioctl to discover the seccomp_data size maybe? That could be an option as well, assuming we agree that size would work, which I thought we didn't? Tycho