Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5574923ybl; Tue, 10 Dec 2019 08:10:24 -0800 (PST) X-Google-Smtp-Source: APXvYqxfKvjnlUsxFIK0vkQQNSQgWumAr9L/7/rX8+M5F/VAjzReZ3o7cQU25MnJIrELrrN5k+RY X-Received: by 2002:aca:cdd5:: with SMTP id d204mr4603098oig.134.1575994224262; Tue, 10 Dec 2019 08:10:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575994224; cv=none; d=google.com; s=arc-20160816; b=CmN8SyXCghhFgIx3h6hW8RwSTg8kd46652591LJbdTNzx8O/DdiaOM1lLEIj0aD1TQ DlOZVTIWqCTvyf/ygviF++qm+Cdznp/ZM5cC4uQNfd7ieyhkwqy4+SNUOak3/k7lhSpI yMZ0Al+llWAznyz/Aeb4yHseSuYsJJ4j+UFpZh77w9B+LMy/rDy0/1rFlqVE8fXcEW5T rN5Ypu6bzkyS8QhZIcSWZa06y0FaH0RQx+Dy//ceP3jkXMOGt4RjwSWDCuqTb7HGYkzY Lie76ICKKyR/WIwkjc/ifgLnHOmYdF2nOyCY/g7E2bpU5kdyVo0RL3bskvylF0O9DIy3 CiOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=i6trYcoHmNF55DJKEZoSP3sORTafU70ubqpo6VTXimk=; b=leNi2S9iIeqboD2VaUAwEXIF+tSYwYddoRrpiF0SAuHfh7Uvn3m3PYIzIpf/rqUeSG NqELxX5tcEVASW8vIt2qPm59QAljBvTibmnyyo37UsCdIOQwU8p7fJ2jnp2LczgbM2v8 bmE1miCDcLMFHu27GxvyVMr8AllY6ZmlMbjvl+5mBYwaeCY0FpBWQ8FSwzV0R7tdbuCg RBIoXoeKZuekij43PNoIePUzGNq6LDUqfqQ/slkijNK7Jc7LW53K6jzEvXuD1O0Fpn3M 4R0hKuNxoYD5nhO60p0DCx6qd57k7xsNZA/bPpVDMW/3MN+uYhLkuHQYS3DinVpxk2bm 5TUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=PKmIyaMC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z6si2014865oic.18.2019.12.10.08.10.10; Tue, 10 Dec 2019 08:10:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=PKmIyaMC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727573AbfLJQIY (ORCPT + 99 others); Tue, 10 Dec 2019 11:08:24 -0500 Received: from mail-ed1-f66.google.com ([209.85.208.66]:46551 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727541AbfLJQIX (ORCPT ); Tue, 10 Dec 2019 11:08:23 -0500 Received: by mail-ed1-f66.google.com with SMTP id m8so16411526edi.13 for ; Tue, 10 Dec 2019 08:08:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i6trYcoHmNF55DJKEZoSP3sORTafU70ubqpo6VTXimk=; b=PKmIyaMCl+YDFo8WSYlp7M/Aezgp7PzTLo/BE17x5sa+uME6zCTHydOQcDvM01zJju umUcaAg/M1OJOdJXaZFjOeCLJHXUdgATLyg7kQZzhq3cF75xvcjvWAm3EP+kWA9JqjwN 7NEG7VSHVsswDicQCKImpdcmCrTRrY0D7KLck= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i6trYcoHmNF55DJKEZoSP3sORTafU70ubqpo6VTXimk=; b=JUS+ORCrNnYULGr3zHHEQjFSY8GUWkv4cX1ZTRoyo3bJaJodvWL0tsZcUA4EFuPFsP 3EowR2F2M8f9u5Sb3NnMVQQjpeTMpj1Unu8R2YSv3Y8eMAUJhlOKiBQbUaxB2bSeTWi7 +JR5y090f2Gl83YSLVZVWP6ZEhlW0/iDDMn8VLWWaxNqPYQ0ftSEIyVFcDciJQcwwcZJ oUUJH3I9zWRipTHlQWQY42eVnCHyVZLBXueCtFwxsNUSrJMRPUbOjrLPZmgFN5g0VJih urorvrawV/Zvd3wxZThva4bQ/yRNw/ZT6+5wubw5agQxWf1uJzt/J51bcqHMk7q/Z2Sb kUGQ== X-Gm-Message-State: APjAAAX1quApyjrCcdyyUk9n+bY1noGqTOk0ASbL/1ugBiP1+S5oF+di ZGacDcSc+ih0ngNbWtb1pjl9hAFk/JAKXm9WoES+tg== X-Received: by 2002:a17:906:6d52:: with SMTP id a18mr4567499ejt.52.1575994101055; Tue, 10 Dec 2019 08:08:21 -0800 (PST) MIME-Version: 1.0 References: <20191209070646.GA32477@ircssh-2.c.rugged-nimbus-611.internal> <20191209192959.GB10721@redhat.com> <20191209204635.GC10721@redhat.com> <20191210111051.j5opodgjalqigx6q@wittgenstein> In-Reply-To: <20191210111051.j5opodgjalqigx6q@wittgenstein> From: Sargun Dhillon Date: Tue, 10 Dec 2019 08:07:45 -0800 Message-ID: Subject: Re: [PATCH v2 4/4] samples: Add example of using PTRACE_GETFD in conjunction with user trap To: Christian Brauner Cc: Oleg Nesterov , LKML , Linux Containers , Linux API , linux-fsdevel@vger.kernel.org, Tycho Andersen , Jann Horn , cyphar@cyphar.com, Andy Lutomirski , viro@zeniv.linux.org.uk, Jed Davis , Gian-Carlo Pascutto , =?UTF-8?Q?Emilio_Cobos_=C3=81lvarez?= , Florian Weimer Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 10, 2019 at 3:10 AM Christian Brauner wrote: > > [I'm expanding the Cc to a few Firefox and glibc people since we've been > been talking about replacing SECCOMP_RET_TRAP with > SECCOMP_RET_USER_NOTIF for a bit now because the useage of > SECCOMP_RET_TRAP in the broker blocks desirable core glibc changes. > Even if just for their lurking pleasure. :)] > > On Mon, Dec 09, 2019 at 09:46:35PM +0100, Oleg Nesterov wrote: > > On 12/09, Christian Brauner wrote > > > > I agree, and I won't really argue... > > > > but the changelog in 2/4 says > > > > The requirement that the tracer has attached to the tracee prior to the > > capture of the file descriptor may be lifted at a later point. > > > > so may be we should do this right now? > > I think so, yes. This doesn't strike me as premature optimization but > rather as a core design questions. > > > > > plus this part > > > > @@ -1265,7 +1295,8 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, > > } > > > > ret = ptrace_check_attach(child, request == PTRACE_KILL || > > - request == PTRACE_INTERRUPT); > > + request == PTRACE_INTERRUPT || > > + request == PTRACE_GETFD); > > > > actually means "we do not need ptrace, but we do not know where else we > > can add this fd_install(get_task_file()). > > Right, I totally get your point and I'm not a fan of this being in > ptrace() either. > > The way I see is is that the main use-case for this feature is the > seccomp notifier and I can see this being useful. So the right place to > plumb this into might just be seccomp and specifically on to of the > notifier. > If we don't care about getting and setting fds at random points of > execution it might make sense to add new options to the notify ioctl(): > > #define SECCOMP_IOCTL_NOTIF_GET_FD SECCOMP_IOWR(3, ) > #define SECCOMP_IOCTL_NOTIF_SET_FD SECCOMP_IOWR(4, ) > > which would let you get and set fds while the supervisee is blocked. > > Christian Doesn't SECCOMP_IOCTL_NOTIF_GET_FD have some ambiguity to it? Specifically, because multiple processes can have the same notifier attached to them? If we choose to go down the route of introducing an ioctl (which I'm not at all opposed to), I would rather do it on pidfd. We can then plumb seccomp notifier to send pidfd instead of raw pid. In the mean time, folks can just open up /proc/${PID}, and do the check cookie dance. Christian, As the maintainer of pidfd, what do you think?