Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2912602imu; Thu, 29 Nov 2018 12:15:03 -0800 (PST) X-Google-Smtp-Source: AFSGD/XuSG7DZ2uNiskincyNW5C9R76cYXpEpjf6C3I/bqx/LXX9dTlq/1Cz2/VvsCX+iRlx4RVM X-Received: by 2002:a63:ac1a:: with SMTP id v26mr2452825pge.293.1543522503887; Thu, 29 Nov 2018 12:15:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543522503; cv=none; d=google.com; s=arc-20160816; b=aytbZQzpoNb1cgTO+Nlg+tUhTQ3t9MRIORi7PUmtmHGY4IaMsXSdP8oPvOn9m4HW5r Isfw/syzQQKdOrtQUTqgSZPGfHGltjwLkx7OyMQKdAzq8MQFLLmyvMGVxNMyodmeSKHp 0Rq9JTgm/7rSp5B4Ld1M80AKEdT7GLSQBeAOSh1Qq1+cMRTnKAbv0sYYvu675qVPCJhU Q3ukxef5NLrGWIwSOrQ+tAdfBbO7OkxzSw9sHipH8xC65GMap/4KgoHedYK/3vmBc+K2 vYXGf7PSEW/rgrHFqwD8W6g30ypu330FJCZz6j9auFQgzUpTD0k5tI+is3rxs8MrX9CO eNlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=PqVghbOFRW+RL+62Q8UBfCV6NeETGXcgNZP9Hlz2w4c=; b=bUq5xHcmZrIUirW3e2AFNvjY5cguZGZu2hoyqiiMl5fTRB3eUAXLFjcoWhdbHm+4uX dBXgoCjdDIsYpozLDgCOcmjs7Z939yoE1XoLVkz1ByxTNaKTMHno6WkWBcBgSIkdjhMO W63a2jXbnB2kC62WAjFWxsh8qF3lVxX3BNxp4cpmfmT9I6UPV+PGuJl9woP2+8bwAQJ0 WUMZWGe/UULeari5edYduklhLLmSjQyIpaNIF4omMlrE94Od8cI3NMeO/gR00eCukhWM qPR1cn8MH42VSMmpT43nkZpjnEOtM4fNYUcF6jcxe4T3sPiaBfPWB1T8jxl8qHN+/YmV Ke+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=AkqqJqsz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k15si2587149pgi.99.2018.11.29.12.14.48; Thu, 29 Nov 2018 12:15:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=AkqqJqsz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726766AbeK3HUo (ORCPT + 99 others); Fri, 30 Nov 2018 02:20:44 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:34327 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726019AbeK3HUo (ORCPT ); Fri, 30 Nov 2018 02:20:44 -0500 Received: by mail-pf1-f196.google.com with SMTP id h3so1586082pfg.1 for ; Thu, 29 Nov 2018 12:14:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PqVghbOFRW+RL+62Q8UBfCV6NeETGXcgNZP9Hlz2w4c=; b=AkqqJqszkWE7DWc7uxHOyQ0GbQqnm52sZKwHuc6m9jVssftPDnUqDGJ9sAro6Dc9kj jooRtP2avmXSLvZpdTksIzvbQjtOFbTcw7oECJrUm/u4YAIRofGUcsHRRq30owXtEf/v c0zMte1woW3Uk29K9PcJFtKoEYfYCnhtWJbsb8fLfyRiuIqsWB6JM2J97CxZw5nLa6Du xrK08LUyWtSli0kAri/KKLINClb/8HkBbeY5bsiuOwMH0l0ODS/Gwb9QTcTlKnkfoYg0 l5Z4fLyXunLnYfCixe8C8p38UlYlzLm5PH/EAORChFGCYMs+kLuHiFmi+g/lSCxym0Mg nzaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PqVghbOFRW+RL+62Q8UBfCV6NeETGXcgNZP9Hlz2w4c=; b=ZJD+rJbWrvXWZgIIePRGMRFOsYe49ctYwOJ4KeMP4cuOOe1PuHXWSsAvvCkekLHxe3 uNbi3380UnGwqrLm71Eu3DIQwdqEYx2gbGlN+oWHmhLoaArL6kWewv2qraV2TW4Lg0mQ TKqGfE9HLsTpf0hwsH1DssbcmjwWYDIepcykKL/e5GE1BXKv/2V/iQFKl20/kjll7PHJ CFXFzv+VR1yu0XPogP47/YyNHGYv9nI+QoDwKcAbZEBHNNttTo6hIj8l01tSPRkqWWvU zpxskLDPTz/xVosmNWLQNLyDJYAKWVFhAnWu8Z9plZjgmT/oIqeJ3atfT0vti/crcCzB No6g== X-Gm-Message-State: AA+aEWa0R7y8y4BRIoAzXoIlfrID32JAWTz9L3zD4l0zFnGKLhCadQgY VBM10OEEnkoE9tdOrWK1s9t0zg== X-Received: by 2002:a62:b24a:: with SMTP id x71mr2851032pfe.148.1543522446987; Thu, 29 Nov 2018 12:14:06 -0800 (PST) Received: from ?IPv6:2601:646:c200:7429:e849:445a:3b20:40b8? ([2601:646:c200:7429:e849:445a:3b20:40b8]) by smtp.gmail.com with ESMTPSA id x2sm7403517pfx.78.2018.11.29.12.14.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Nov 2018 12:14:06 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2] signal: add procfd_signal() syscall From: Andy Lutomirski X-Mailer: iPhone Mail (16B92) In-Reply-To: <20181129195551.woe2bl3z3yaysqb6@brauner.io> Date: Thu, 29 Nov 2018 12:14:05 -0800 Cc: Andy Lutomirski , Florian Weimer , "Eric W. Biederman" , LKML , "Serge E. Hallyn" , Jann Horn , Andrew Morton , Oleg Nesterov , Aleksa Sarai , Al Viro , Linux FS Devel , Linux API , Daniel Colascione , Tim Murray , linux-man , Kees Cook Content-Transfer-Encoding: quoted-printable Message-Id: <6E21165F-2C76-4877-ABD9-0C86D55FD6AA@amacapital.net> References: <20181120105124.14733-1-christian@brauner.io> <87in0g5aqo.fsf@oldenburg.str.redhat.com> <36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net> <993B98AC-51DF-4131-AF7F-7DA2A7F485F1@brauner.io> <20181129195551.woe2bl3z3yaysqb6@brauner.io> To: Christian Brauner Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 29, 2018, at 11:55 AM, Christian Brauner wro= te: >=20 >> On Thu, Nov 29, 2018 at 11:22:58AM -0800, Andy Lutomirski wrote: >>> On Thu, Nov 29, 2018 at 11:17 AM Christian Brauner wrote: >>>=20 >>>> On November 30, 2018 5:54:18 AM GMT+13:00, Andy Lutomirski wrote: >>>>=20 >>>>=20 >>>>> On Nov 29, 2018, at 4:28 AM, Florian Weimer >>>> wrote: >>>>>=20 >>>>> Disclaimer: I'm looking at this patch because Christian requested it. >>>>> I'm not a kernel developer. >>>>>=20 >>>>> * Christian Brauner: >>>>>=20 >>>>>> diff --git a/arch/x86/entry/syscalls/syscall_32.tbl >>>> b/arch/x86/entry/syscalls/syscall_32.tbl >>>>>> index 3cf7b533b3d1..3f27ffd8ae87 100644 >>>>>> --- a/arch/x86/entry/syscalls/syscall_32.tbl >>>>>> +++ b/arch/x86/entry/syscalls/syscall_32.tbl >>>>>> @@ -398,3 +398,4 @@ >>>>>> 384 i386 arch_prctl sys_arch_prctl >>>> __ia32_compat_sys_arch_prctl >>>>>> 385 i386 io_pgetevents sys_io_pgetevents >>>> __ia32_compat_sys_io_pgetevents >>>>>> 386 i386 rseq sys_rseq __ia32_sys_rseq >>>>>> +387 i386 procfd_signal sys_procfd_signal >>>> __ia32_compat_sys_procfd_signal >>>>>> diff --git a/arch/x86/entry/syscalls/syscall_64.tbl >>>> b/arch/x86/entry/syscalls/syscall_64.tbl >>>>>> index f0b1709a5ffb..8a30cde82450 100644 >>>>>> --- a/arch/x86/entry/syscalls/syscall_64.tbl >>>>>> +++ b/arch/x86/entry/syscalls/syscall_64.tbl >>>>>> @@ -343,6 +343,7 @@ >>>>>> 332 common statx __x64_sys_statx >>>>>> 333 common io_pgetevents __x64_sys_io_pgetevents >>>>>> 334 common rseq __x64_sys_rseq >>>>>> +335 64 procfd_signal __x64_sys_procfd_signal >>>>>>=20 >>>>>> # >>>>>> # x32-specific system call numbers start at 512 to avoid cache >>>> impact >>>>>> @@ -386,3 +387,4 @@ >>>>>> 545 x32 execveat __x32_compat_sys_execveat/ptregs >>>>>> 546 x32 preadv2 __x32_compat_sys_preadv64v2 >>>>>> 547 x32 pwritev2 __x32_compat_sys_pwritev64v2 >>>>>> +548 x32 procfd_signal __x32_compat_sys_procfd_signal >>>>>=20 >>>>> Is there a reason why these numbers have to be different? >>>>>=20 >>>>> (See the recent discussion with Andy Lutomirski.) >>>>=20 >>>> Hah, I missed this part of the patch. Let=E2=80=99s not add new x32 sy= scall >>>> numbers. >>>>=20 >>>> Also, can we perhaps rework this a bit to get rid of the compat entry >>>> point? The easier way would be to check in_compat_syscall(). The nicer= >>>> way IMO would be to use the 64-bit structure for 32-bit as well. >>>=20 >>> Do you have a syscall which set precedence/did this before I could look a= t? >>> Just if you happen to remember one. >>> Fwiw, I followed the other signal syscalls. >>> They all introduce compat syscalls. >>>=20 >>=20 >> Not really. >>=20 >> Let me try to explain. I have three issues with the approach in your pat= chset: >>=20 >> 1. You're introducing a new syscall, and it behaves differently on >> 32-bit and 64-bit because the structure you pass in is different. >> This is necessary for old syscalls where compatibility matters, but >> maybe we can get rid of it for new syscalls. Could we define a >> siginfo64_t that is identical to the 64-bit siginfo_t and just use >> that in all cases? >>=20 >> 2. Assuming that #1 doesn't work, then we need compat support. But >> you're doing it by having two different entry points. Instead, you >> could have a single entry point that calls in_compat_syscall() to >> decide which structure to read. This would simplify things because >> x86 doesn't really support the separate compat entry points, which >> leads me to #3. >>=20 >> 3. The separate x32 numbers are a huge turd that may have security >> holes and certainly have comprehensibility holes. I will object to >> any patch that adds a new one (like yours). Fixing #1 or #2 makes >> this problem go away. >>=20 >> Does that make any sense? The #2 fix would be something like: >>=20 >> if (in_compat_syscall) >> copy...user32(); >> else >> copy_from_user(); >>=20 >> The #1 fix would add a copy_siginfo_from_user64() or similar. >=20 > Thanks very much! That all helped a bunch already! I'll try to go the > copy_siginfo_from_user64() way first and see if I can make this work. If > we do this I would however only want to use it for the new syscall first > and not change all other signal syscalls over to it too. I'd rather keep > this patchset focussed and small and do such conversions caused by the > new approach later. Does that sound reasonable? Absolutely. I don=E2=80=99t think we can change old syscalls =E2=80=94 the A= BI is set in stone. But for new syscalls, I think the always-64-bit behavior= makes sense.=