Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp3532653ybf;
        Tue, 3 Mar 2020 07:38:58 -0800 (PST)
X-Google-Smtp-Source: ADFU+vs4GB//r7bGsbMmlX2QG/tXEYXdFHZ1nWYqAj7DVePWOvhLqolDeLtsMUHn7UENOCxyNSJR
X-Received: by 2002:a05:6830:104d:: with SMTP id b13mr3471742otp.42.1583249938082;
        Tue, 03 Mar 2020 07:38:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583249938; cv=none;
        d=google.com; s=arc-20160816;
        b=Bb7KoK+01nBdo+kGqe1krsn+2CXF1jVy1/7M6AZgXsOaoxPeapnbgev6TA79vjikCm
         gwqMIJ67zeU/SFZc14AWL9HL3DNIow9ebZfyCJ2esvkhZtIGNFw0M7bgvRoM8nXXG/qP
         +M7lDOOhKVir357Z0XNO7L0InXrMxsujDm9HkcNG0Zy/+f38lAPxXiXeygxsm/bs7Xy8
         ptW0NiYy/wN6JKQ6cz5suOjPQZLQajWZDa6F09rGtfxFaG9RaFpVbw2qkin32UE+kaOo
         /H1P7UI3zvW/ZempZUSRbsOz0kL/5bIDDm3zGg+OFZ9p7WXMKF/pTDafMtieg92eVx+Q
         UuXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=fI36G/uNvKx+9em/Fb6KNNLc+Pcmg8HngIG58Zd5Bs0=;
        b=qp+KPC9nYttxaLvdG47oRfRXpxUdXUNMwRrx9geqo3a2rEIaijYrGWhNQ67E/H5I3l
         EzBy7eRYcsXic7iob/X56JCWma4b/BNT8ZSM1bsAc8BBkJv48gmp6eYQttOL90wjqBD7
         nlh7Azk7bB1gLcYw4Trcqsyc9rytVU+QocN3I86EE06RDHNYtHUA36O67gltE+fdnvMg
         s0ny4N22+vAu9dfCp7fV9tAP4JYonALj/DCmnqS4X9mg02aztQ1lbLKmK6i7bcrJTuHs
         8neQm/FbThxEdvHZHMNdAad93Nixl3BlOALqiKOoY2WgHRPwGWC5ewbxtjS8huZpExIQ
         8OAw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=SGsrGjLu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o6si7632308oic.34.2020.03.03.07.38.25;
        Tue, 03 Mar 2020 07:38:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=SGsrGjLu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728924AbgCCO4m (ORCPT <rfc822;ulfalizer@gmail.com> + 99 others);
        Tue, 3 Mar 2020 09:56:42 -0500
Received: from mail-io1-f65.google.com ([209.85.166.65]:33684 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726079AbgCCO4l (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Mar 2020 09:56:41 -0500
Received: by mail-io1-f65.google.com with SMTP id r15so3920320iog.0
        for <linux-kernel@vger.kernel.org>; Tue, 03 Mar 2020 06:56:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=fI36G/uNvKx+9em/Fb6KNNLc+Pcmg8HngIG58Zd5Bs0=;
        b=SGsrGjLuucyjNPy56WlED0A/hHbh6zFQXdmMsXJn+8s4bETmyO3nLcYzinbl/ngv+8
         IVKhqaOlqrRKDviqybo8oORit6u91nGx/5vVDjBs0/tD6eZgDmofo2eq8Bo2gGZcT1xY
         +t9xxU/5y3XRc3m0rgzn4quxb+9h/ryIW1vMz4ckmA4gVb/AdsO6VAHSNTNELSps/IVn
         SHCqqyzQvCyt6M671NE0lay/rsZnAO2e3mGPSqbcC1r2pnKg6zXQYNTsTP0+DeuSMd6P
         G0k1DIJGkebMvuotzhR3v44hLe+VY1RllkvovDIlo1F5B+yOi419w1Zb7TtZwYbOotlC
         8Ltg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=fI36G/uNvKx+9em/Fb6KNNLc+Pcmg8HngIG58Zd5Bs0=;
        b=bAlYhwsqy+n2ez6Q7uY4ee6tzF4TcwSKcEvID7ZJVKixsGrKN6AQK9Uuj5H70BLHHE
         IFNvhdEmIqGX9Ku6C6r9lyxixpmVPJeCWhOyrP9dYcRIQsbbIrEQptTvwILIO6zaB5K9
         4RezBFB4saKIEqb2P+i0EnqvOZBgVv/Tf+d4QKxeseO1Y9ZaXELcJ0EuGeDq9kqQ4w07
         7H4KWKtQt6AX4paKPsth+jIqOUbXzEjb100t1E1aCPll6SurMBk54eg4bPoh/JLYiHAl
         Ny6GcoRqWoG+B750f1+SAJQ4vDQNq2eNLT5M7047umAa5gFxxTFupYgYfssaG4mVgghO
         DRHw==
X-Gm-Message-State: ANhLgQ2WByHE7Jpyd/6jfx5AbdrdhA9qoqdbiNn+7kyzvibspbqjXJki
        9mbMkkd8GhK1EkHz9X41tZrT99Vuerg=
X-Received: by 2002:a5e:c603:: with SMTP id f3mr4216930iok.250.1583247398211;
        Tue, 03 Mar 2020 06:56:38 -0800 (PST)
Received: from cisco ([2601:282:902:b340:5dcb:1549:835e:4d6d])
        by smtp.gmail.com with ESMTPSA id z63sm8001645ilk.44.2020.03.03.06.56.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 03 Mar 2020 06:56:37 -0800 (PST)
Date:   Tue, 3 Mar 2020 07:56:35 -0700
From:   Tycho Andersen <tycho@tycho.ws>
To:     Kees Cook <keescook@chromium.org>
Cc:     linux-kernel@vger.kernel.org, Matthew Denton <mpdenton@google.com>
Subject: Re: [PATCH] seccomp: allow TSYNC and USER_NOTIF together
Message-ID: <20200303145635.GC15783@cisco>
References: <20200206165027.18415-1-tycho@tycho.ws>
 <202003022137.9DAB55E6F0@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202003022137.9DAB55E6F0@keescook>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 02, 2020 at 09:48:34PM -0800, Kees Cook wrote:
> On Thu, Feb 06, 2020 at 09:50:27AM -0700, Tycho Andersen wrote:
> > The restriction introduced in 7a0df7fbc145 ("seccomp: Make NEW_LISTENER and
> > TSYNC flags exclusive") is mostly artificial: there is enough information
> > in a seccomp user notification to tell which thread triggered a
> > notification. The reason it was introduced is because TSYNC makes the
> > syscall return a thread-id on failure, and NEW_LISTENER returns an fd, and
> > there's no way to distinguish between these two cases (well, I suppose the
> > caller could check all fds it has, then do the syscall, and if the return
> > value was an fd that already existed, then it must be a thread id, but
> > bleh).
> > 
> > Matthew would like to use these two flags together in the Chrome sandbox
> > which wants to use TSYNC for video drivers and NEW_LISTENER to proxy
> > syscalls.
> > 
> > So, let's fix this ugliness by adding another flag, NO_TID_ON_TSYNC_ERR,
> > which tells the kernel to just return -EAGAIN on a TSYNC error. This way,
> > NEW_LISTENER (and any subsequent seccomp() commands that want to return
> > positive values) don't conflict with each other.
> > 
> > Suggested-by: Matthew Denton <mpdenton@google.com>
> > Signed-off-by: Tycho Andersen <tycho@tycho.ws>
> 
> Thanks for this! (And thanks for waiting on my review!) Yeah, this
> makes things much more sensible. If we get a third thing that wants
> to be returned, we'll have to rev the userspace struct API to have an
> "output" area. :P

Yeah :)

> Bike shedding below...
> 
> > ---
> >  include/linux/seccomp.h                       |  3 +-
> >  include/uapi/linux/seccomp.h                  |  1 +
> >  kernel/seccomp.c                              | 14 +++-
> >  tools/testing/selftests/seccomp/seccomp_bpf.c | 74 ++++++++++++++++++-
> >  4 files changed, 86 insertions(+), 6 deletions(-)
> > 
> > diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
> > index 03583b6d1416..e0560a941ed1 100644
> > --- a/include/linux/seccomp.h
> > +++ b/include/linux/seccomp.h
> > @@ -7,7 +7,8 @@
> >  #define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
> >  					 SECCOMP_FILTER_FLAG_LOG | \
> >  					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
> > -					 SECCOMP_FILTER_FLAG_NEW_LISTENER)
> > +					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
> > +					 SECCOMP_FILTER_FLAG_NO_TID_ON_TSYNC_ERR)
> >  
> >  #ifdef CONFIG_SECCOMP
> >  
> > diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
> > index be84d87f1f46..64678cc20e18 100644
> > --- a/include/uapi/linux/seccomp.h
> > +++ b/include/uapi/linux/seccomp.h
> > @@ -22,6 +22,7 @@
> >  #define SECCOMP_FILTER_FLAG_LOG			(1UL << 1)
> >  #define SECCOMP_FILTER_FLAG_SPEC_ALLOW		(1UL << 2)
> >  #define SECCOMP_FILTER_FLAG_NEW_LISTENER	(1UL << 3)
> > +#define SECCOMP_FILTER_FLAG_NO_TID_ON_TSYNC_ERR	(1UL << 4)
> 
> Bikeshed: what do you think about calling this
> 
> SECCOMP_FILTER_FLAG_TSYNC_ESRCH
> 
> to mean "I don't care _which_ thread, just fail" (See below about the
> ESRCH bit...)

Will do.

> >  
> >  /*
> >   * All BPF programs must return a 32-bit value.
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index b6ea3dcb57bf..fa01ec085d60 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -528,8 +528,12 @@ static long seccomp_attach_filter(unsigned int flags,
> >  		int ret;
> >  
> >  		ret = seccomp_can_sync_threads();
> > -		if (ret)
> > -			return ret;
> > +		if (ret) {
> > +			if (flags & SECCOMP_FILTER_FLAG_NO_TID_ON_TSYNC_ERR)
> > +				return -EAGAIN;
> 
> Hm hm, I think EAGAIN is wrong here: this isn't likely to be a transient
> failure (unless the offending thread dies). The two ways TSYNC can fail
> are if a thread has seccomp mode 1 set, or if the thread's filter
> ancestry has already diverged. Trying again isn't really going to help
> (which is why the original motivation was to return thread details to
> help debug why TSYNC failed).
> 
> In the case where the thread id can't be found (container visibility??),
> we fail with -ESRCH. That might be more sensible than -EAGAIN here. (Or
> maybe -EBUSY?)

-ESRCH seems good, I'll resend with that.

Cheers,

Tycho