Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5278805imd; Tue, 30 Oct 2018 15:01:16 -0700 (PDT) X-Google-Smtp-Source: AJdET5f9qjHYp5D59/I34Mp4/prgXIaErj6Co+/UpWVgRDXfPHFcLS/ATIqwL4E+F2kTfYGAR7OL X-Received: by 2002:a62:ac18:: with SMTP id v24-v6mr495449pfe.126.1540936876532; Tue, 30 Oct 2018 15:01:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540936876; cv=none; d=google.com; s=arc-20160816; b=JOKputmpDJIa4QUboYxGZ05R9gKVkfIZodSv4F9Ev9irC6kRNn4RB20klzOmPGdlX6 BimKR+y7P0O1LurrUebeGyXFsgJps+y5+bTwc2ux6P4BYptlvW2PqrK5vVjCbPypLlUO XXkhlU4sfygvyI44XHY0YPeZGAraEiGsWFkrbLjIVcsWXf6GGn/IXCmfcYZmuAneRUNL nRHZbDl+7h97fFD0GYYy9yW8NfV9hRWhK/PCHO3+Fzvl+NCTeQmvixduQHA5yNSr9XD4 2tjxRZ94QadIQD3qFWuOOVwtNo449PcHVPnSBjZIevnKA6c4rx+k49q1qni847Exuh+t R8Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=Ie4VEMtorXQzSuqf1DMphjdt24z9SzsJCLFEUF8pqJk=; b=BhpGzbLbNljngWU7uiNEnT6pSCG2PDZOooCkBSuVjwNCWf6sWhRIen2DDXaRIOHneW di1gib3cHx4x8C4QPE2pYed89uXRVtioNmFxamC/4Obu3xuh7SDAGQRknHy6aufeVUIU BiH4lPiO9ypNfjHt6a2bXBvppxPQA/OqUJGr+tTRfyQnMJjasy02Tw+AkTnyRl0KtDeP jYqRNOj1Faz3g8GvHHu4kmwJBqY8e18dvLy6AMkehJzFwBHPdpo57q9xWfTKd5E8Zvoj 5u4XB+Th85/NzBOKEeb5FvGnsOX60IrdIg6jKNZDfUTf8wj+eTZ/q/Sx2YY+qRpW5tVy lstA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Qf6j8Pgy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 97-v6si1971075plm.244.2018.10.30.15.01.00; Tue, 30 Oct 2018 15:01:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Qf6j8Pgy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728205AbeJaGzg (ORCPT + 99 others); Wed, 31 Oct 2018 02:55:36 -0400 Received: from mail-yb1-f195.google.com ([209.85.219.195]:44195 "EHLO mail-yb1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727838AbeJaGzg (ORCPT ); Wed, 31 Oct 2018 02:55:36 -0400 Received: by mail-yb1-f195.google.com with SMTP id p144-v6so5730427yba.11 for ; Tue, 30 Oct 2018 15:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ie4VEMtorXQzSuqf1DMphjdt24z9SzsJCLFEUF8pqJk=; b=Qf6j8PgyPsdDibELN7LhE60q/nYfcoMtfME6YiCSuLGerkM6SonG2Votfi6A+HcLN3 x+4qug/94+TwVg/E9y5v9YZ/UC0jfgl6eSyLZhnayGySnVwa8Fp4nkp32lXcZIrmvp0L wUcc+iBOUaQqqOd5e4bIpc0rDNP33bnVlxFu0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ie4VEMtorXQzSuqf1DMphjdt24z9SzsJCLFEUF8pqJk=; b=Xkc/LFYOF79sYo49Ggk2/O9XxDxoE97gxFex3oKDoxEN6/o5WOvCH7pf7iKd4ludJF M4t2xwlVgrekd9RCy3elOSXbuzYmISxRBwtVqCQqeCheXWaMGcGDCWktoymVtRGedi0H 23qwSgMSCJWyftEKHHrhwQIlH6fhhuBLYfS66+iIifmJwdRux53TZ7z33kWrwB7hkck0 rnsbNLqtWbCQxtLOrMgResnn1pK9UvOm2CkD5x7r9iox9cpXfRc10JUHFW+AG5o5HtgI 0NgsHf/jljO0PhQuzflIA3LjelS6z6/zRFsiJEefnWyXWEwxoAutevsjuVk5xbwcCfTC rZEg== X-Gm-Message-State: AGRZ1gI4/OsgPvDWfL/e6IJ9dhReGYbvSbf4BsoIX4b7D2DX1BGNXiQJ 2SD/qZA/hmIrjLPlmDFqHxmrwi14cDc= X-Received: by 2002:a25:578b:: with SMTP id l133-v6mr560442ybb.3.1540936822021; Tue, 30 Oct 2018 15:00:22 -0700 (PDT) Received: from mail-yw1-f52.google.com (mail-yw1-f52.google.com. [209.85.161.52]) by smtp.gmail.com with ESMTPSA id v19-v6sm9885683ywv.19.2018.10.30.15.00.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Oct 2018 15:00:19 -0700 (PDT) Received: by mail-yw1-f52.google.com with SMTP id d126-v6so5604267ywa.5 for ; Tue, 30 Oct 2018 15:00:19 -0700 (PDT) X-Received: by 2002:a0d:cd84:: with SMTP id p126-v6mr574179ywd.288.1540936818774; Tue, 30 Oct 2018 15:00:18 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:3990:0:0:0:0:0 with HTTP; Tue, 30 Oct 2018 15:00:17 -0700 (PDT) In-Reply-To: <20181030215404.GF7343@cisco> References: <20181029224031.29809-1-tycho@tycho.ws> <20181029224031.29809-2-tycho@tycho.ws> <20181030215404.GF7343@cisco> From: Kees Cook Date: Tue, 30 Oct 2018 15:00:17 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace To: Tycho Andersen Cc: Andy Lutomirski , Oleg Nesterov , "Eric W . Biederman" , "Serge E . Hallyn" , Christian Brauner , Tyler Hicks , Akihiro Suda , Aleksa Sarai , LKML , Linux Containers , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 30, 2018 at 2:54 PM, Tycho Andersen wrote: > On Tue, Oct 30, 2018 at 02:49:21PM -0700, Kees Cook wrote: >> On Mon, Oct 29, 2018 at 3:40 PM, Tycho Andersen wrote: >> > * switch to a flags based future-proofing mechanism for struct >> > seccomp_notif and seccomp_notif_resp, thus avoiding version issues >> > with structure length (Kees) >> [...] >> > >> > +struct seccomp_notif { >> > + __u64 id; >> > + __u32 pid; >> > + __u32 flags; >> > + struct seccomp_data data; >> > +}; >> > + >> > +struct seccomp_notif_resp { >> > + __u64 id; >> > + __s64 val; >> > + __s32 error; >> > + __u32 flags; >> > +}; >> >> Hrm, so, what's the plan for when struct seccomp_data changes size? > > I guess my plan was don't ever change the size again, just use flags > and have extra state available via ioctl(). > >> I'm realizing that it might be "too late" for userspace to discover >> it's running on a newer kernel. i.e. it gets a user notification, and >> discovers flags it doesn't know how to handle. Do we actually need >> both flags AND a length? Designing UAPI is frustrating! :) > > :). I don't see this as such a big problem -- in fact it's better than > the length mode, where you don't know what you don't know, because it > only copied as much info as you could handle. Older userspace would > simply not use information it didn't know how to use. > >> Do we need another ioctl to discover the seccomp_data size maybe? > > That could be an option as well, assuming we agree that size would > work, which I thought we didn't? Size alone wasn't able to determine the layout of the seccomp_notif structure since it had holes (in the prior version). seccomp_data doesn't have holes and is likely to change in size (see the recent thread on adding the MPK register to it...) I'm trying to imagine the right API for this. A portable user of seccomp_notif expects the id/pid/flags/data to always be in the same place, but it's the size of seccomp_data that may change. So it wants to allocate space for seccomp_notif header and "everything else", of which is may only understand the start of seccomp_data (and ignore any new trailing fields). So... perhaps the "how big are things?" ioctl would report the header size and the seccomp_data size. Then both are flexible. And flags would be left as a way to "version" the header? Any Linux API list members want to chime in here? -- Kees Cook