Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp519785imb; Fri, 1 Mar 2019 06:58:03 -0800 (PST) X-Google-Smtp-Source: APXvYqwpeh0aTRC+0fSo8k4G/dQIXQ5EXL2I8tO5ldF6VwsEF95IKLeeGLdcJ2RJQarK/arzl4FS X-Received: by 2002:a17:902:bd82:: with SMTP id q2mr5906308pls.65.1551452283268; Fri, 01 Mar 2019 06:58:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551452283; cv=none; d=google.com; s=arc-20160816; b=ZM2fKBkP7htme4VTnXJm6YRG8lgdBIxdSuznv44CidqUF6CDhfBS721EiaD5XuR6hx HLQOQTzkhi7lQyXUb9KI9/DB0V92pSlSuj6R1lofH1dSSOKFVI3m3BbjelJgLVCKmhdW DbPp3H9CQaQAOTLh5DD70guCIxmO2nSrAdGKYCqLF+j5iC+I0cT8SNcpGr8SzXonvXq8 ryh7M3/pCYmjEEXtysKtt4jJ+rI+J8BMJPd/Xj/TiKVGAA3ZI7AvewcTB5J9/12w3GDL 0U2NscYc6PtQhjUGdNlEmy+Z/Q/o1TvREOcGfZctO7xze5FbdaFctKccX/eYntPClXI2 VKyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=2NCNDzjIcVY2rYuh6d/4cyK6U/CBx5FFhf0iLZq9gKQ=; b=zm1f1Ac42uWO/ML+6H9PzaI9Icqr/gGX5tMQmkLGjZ3Rh+6VqDmxG/Trqadwy60niE Z17ANL4Flppvhx0AoJojzgRk80tupE/Vu5AWU1fze7yD4p41tCcxnjk3JV/I84KrXq0p ZyM558AwDlaXRoFuavBPs6pmfT8b7dhJDAoYVyXXSib9274+VbOuEH5/4tdUD6dlTMO4 nbEt4/+a0WjeXmTxwBt0KPRpVSUQjapuKuOHLl0vXkDDDK2gN3x/b8JfPFMAzwf/fJ0M QXVgApmgHgvH1LiJ9WFm1szBqBiC7U/mGXSAbZbRU8DwaAUUNxNUNKP7se99ubJJWiuO JJwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=NtMM4BuX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a8si13270271pff.277.2019.03.01.06.57.48; Fri, 01 Mar 2019 06:58:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=NtMM4BuX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388932AbfCAOxq (ORCPT + 99 others); Fri, 1 Mar 2019 09:53:46 -0500 Received: from mail-pg1-f193.google.com ([209.85.215.193]:42640 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388894AbfCAOxp (ORCPT ); Fri, 1 Mar 2019 09:53:45 -0500 Received: by mail-pg1-f193.google.com with SMTP id b2so11557626pgl.9 for ; Fri, 01 Mar 2019 06:53:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=2NCNDzjIcVY2rYuh6d/4cyK6U/CBx5FFhf0iLZq9gKQ=; b=NtMM4BuXwoY2fUJAoT15nHQhytu27YTjmXdb2LiHmatybi/0jpsy/wvjwEhk4g9bzS wFN10V54d6eORENpaVhlXqYHbdePxwDKrejJAan7RKnGzfBasT06P79FyN78rBiqecr5 Ubp89mL80zPvLgCxvj78pGQXzbqASdkwOZQAUybHoY6eRDNf/5SBfxmQqd5liEtR49KJ PPVoHMLrsOrR5oXmkJh5sQzUX4K4q1P00RIGLp7wxtMI/9b1LbDmM+YQzCRo6OKzAXV1 l08GKi6SgMiqtlgI3t7qSkJQUb4IMHRPAxSzifdKRG+S+W1hOWf7QYzR2vvVDad4XRqy q2HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=2NCNDzjIcVY2rYuh6d/4cyK6U/CBx5FFhf0iLZq9gKQ=; b=ErbC0u2PM1NsfQnlr7rCkU+GNpgsQe25Hd39OvzGgQ9/zsTKe6zRQ0Cbp67m9/v3KU 4DdaVN0NJCDz4yaiMwHBvSq18dxpQjIUHriuX7QaAHISZ4QAbGoXQfkALh+17f23bNYe DowMFTGe6tGO0n8jMdRnhSMstJ09gU0U1eHjNOeagsLfAJDLuXr59yPvOg7AF7y44IFH TgWPJEEDaQHqrBLy009uPAuF38Eu667+5yfaIn3U1RF+xJq/aGOlfxEn5MqgNSi5l7t2 JieyjaQIrFDZWvk6wO8RYk+5YdAS9yFnWpvj2YoPBasIvr0oGtucrx4ZN4uZuZhOTZr2 EFZA== X-Gm-Message-State: APjAAAXL3CnWP325fSt2hnD8IslWO+JYj8R44a21RBWLZNjpKRQl589H +gTxNYwCVNQZckhQh84yifYUTQ== X-Received: by 2002:a65:60d8:: with SMTP id r24mr5211842pgv.6.1551452024075; Fri, 01 Mar 2019 06:53:44 -0800 (PST) Received: from cisco ([2601:282:901:dd7b:316c:2a55:1ab5:9f1c]) by smtp.gmail.com with ESMTPSA id l12sm26584812pgk.40.2019.03.01.06.53.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 01 Mar 2019 06:53:43 -0800 (PST) Date: Fri, 1 Mar 2019 07:53:41 -0700 From: Tycho Andersen To: "Michael Kerrisk (man-pages)" Cc: "Serge E. Hallyn" , linux-man@vger.kernel.org, Kees Cook , Linux API , lkml , Andy Lutomirski , Jann Horn , Oleg Nesterov , Christian Brauner , "Eric W. Biederman" , Containers , Aleksa Sarai , Tyler Hicks , Akihiro Suda Subject: Re: [PATCH 2/2] seccomp.2: document userspace notification Message-ID: <20190301145341.GD7413@cisco> References: <20181213001106.15268-1-tycho@tycho.ws> <20181213001106.15268-3-tycho@tycho.ws> <2cea5fec-e73e-5749-18af-15c35a4bd23c@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 28, 2019 at 02:25:55PM +0100, Michael Kerrisk (man-pages) wrote: > > 7. The monitoring process can use the information in the > > 'struct seccomp_notif' to make a determination about the > > system call being made by the target process. This > > structure includes a 'data' field that is the same > > 'struct seccomp_data' that is passed to a BPF filter. > > > > In addition, the monitoring process may make use of other > > information that is available from user space. For example, > > it may inspect the memory of the target process (whose PID > > is provided in the 'struct seccomp_notif') using > > /proc/PID/mem, which includes inspecting the values > > pointed to by system call arguments (whose location is > > available 'seccomp_notif.data.args). However, when using > > the target process PID in this way, one must guard against > > PID re-use race conditions using the seccomp() > > SECCOMP_IOCTL_NOTIF_ID_VALID operation. > > > > 8. Having arrived at a decision about the target process's > > system call, the monitoring process can inform the kernel > > of its decision using the operation > > > > ioctl(listenfd, SECCOMP_IOCTL_NOTIF_SEND, respptr) > > > > where the third argument is a pointer to a > > 'struct seccomp_notif_resp'. [Some more details > > needed here, but I still don't yet understand fully > > the semantics of the 'error' and 'val' fields.] > > So clearly, I misunderstood these last two steps. > > (7) is something like: discover information in userspace > as required; perform userspace actions if appropriate > (perhaps doing the system call operation "on behalf of" the > target process). > > > (8) is something like: > set 'error' and 'val' to return info to the target process: > * error != 0 ==> make it look like the syscall failed, > with 'errno' set to that value > * error == 0 ==> make it look like the syscall succeeded > and returned 'val' > > Right? Yep, exactly. Tycho