Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1788399ybk;
        Sun, 17 May 2020 00:21:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzXeIr1jRp6/RlQKzdX97vetLtdVZjSDG5m1tNNw4suXbm90z9aRtTr230+u6g5hITlg7Sp
X-Received: by 2002:a17:906:3c4f:: with SMTP id i15mr10022372ejg.243.1589700110873;
        Sun, 17 May 2020 00:21:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589700110; cv=none;
        d=google.com; s=arc-20160816;
        b=KC5kGJLJHHYoM6qIyEv9RHYgcSDHNXEVXYpndSHS6Y428MxZWFTpvEywsQn/+D8ku0
         pg4Xf4lo3AidfDzzpfd9Sls0HYtQh9S8p2xaTBzoGbJU1AqVr5WIGsod7Tfd12m2O48x
         dnS3aNmXW4FHMAQqDSrRwF15W8tR5fXckrxnGmVYOG8QxsKPrVGu5iu7G09LN/gX787B
         LpzNeqVyRX4PUfu78p/OYLv3eHTPY0C37knDAanVM1oTbArCp/bAjmVuIVSQBBJMnz6a
         7QJwDO/tumQGwBs+604fER/0xlt71OAkgDkoyNDpOiEbOMmuiLK+Pb0So9COSi54E82f
         Ksmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=aftZV1cdZqqyo7nEiKFeSuPiJj3pGPrb2uZIVEZjg8Y=;
        b=sdBd9HGWlU8S1StjZiY3kveyUZIKT1XgdqnpiqevXHXZKlCEE4ZnClkA6rXh9ox5YO
         9xpGhRSBrfY9IKzWo8rPhuzSvVoPwgMjZR3XG4cxakrvEHMuoi4LuLj100iw3Aq57cvu
         gweKApoZhjVzSmJ6KxdE4yX8GOZJZeCQRmI7eg3MoNa9e+S5Zl3ubLCTZr451fayBzIW
         C18UHAWOXuhunfnl2jQHFGjJS05ZqsV5gqk33BUxkAYjQFD45CVczi/HUzG6H890dpkZ
         XNNq6GlnUpN+VybJY+3BveJXhrDpIhEJWRSMwxzp7MRKnTAIQ21u8l8XtWTHxaZjQFPw
         NQaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KBiEhBvl;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g30si4186442ede.28.2020.05.17.00.21.27;
        Sun, 17 May 2020 00:21:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KBiEhBvl;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727055AbgEQHRS (ORCPT <rfc822;vinadhy@gmail.com> + 99 others);
        Sun, 17 May 2020 03:17:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49560 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726980AbgEQHRS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 17 May 2020 03:17:18 -0400
Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3342C061A0C
        for <linux-kernel@vger.kernel.org>; Sun, 17 May 2020 00:17:16 -0700 (PDT)
Received: by mail-pj1-x1043.google.com with SMTP id a5so3188056pjh.2
        for <linux-kernel@vger.kernel.org>; Sun, 17 May 2020 00:17:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=aftZV1cdZqqyo7nEiKFeSuPiJj3pGPrb2uZIVEZjg8Y=;
        b=KBiEhBvlYFCV1jPF9d8iOLqAJGzwh7eNPC6bjw/QP/iuqlMtONiBt8ZFUtB7iWgxNv
         3pH86rVMJSygxDx2PXR0qO93TSylEmJ6BdzZUxPFC1Iaw37nlMFHzeSkczNnXl04sDBA
         OeNg4gtoFkA7/VEElrs4D0V5Balkk+TMuIXlM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=aftZV1cdZqqyo7nEiKFeSuPiJj3pGPrb2uZIVEZjg8Y=;
        b=LI6hDQE8OKAgZzqFBkVeuc0s4p7xF63MOMX3YIIdwwv++zS9WjoA5b86dS3ecXlE9f
         k5fgdG9WQXTnZBEWcF9xU8gju64hQgpmMCM7nZuYxmUD+15YmWSSaWsg/cAQ1FmHcxTB
         sE7XnPFXV++iYRKKg4cM59P9xkBIESJnOlgo0r/NpIrh+teB2DbEhVYOEDbM8FE2K1uR
         QcRvxmnj0j6zVJ/bdpZtLHVYyuuJ3X86NNtAzN6zIzbsbiDVJ8Xupc4vP6juPq7nQueg
         RTAyuxNjhj52W/pRbdZGTwXEYJrhqYws/aLxHeWBDF9VdNcF27TTf4WeNT3WZRvk17A1
         KHeA==
X-Gm-Message-State: AOAM530lpxDxfVyY2rLvqnJLvD3dd1PapoUuHwzMDyWQN3pK59bjks6x
        7gBhL0IiGCaa7D8C5wG8FptW9Q==
X-Received: by 2002:a17:90a:d506:: with SMTP id t6mr357751pju.49.1589699836216;
        Sun, 17 May 2020 00:17:16 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id d2sm5649154pfa.164.2020.05.17.00.17.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 17 May 2020 00:17:15 -0700 (PDT)
Date:   Sun, 17 May 2020 00:17:14 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Sargun Dhillon <sargun@sargun.me>
Cc:     linux-kernel@vger.kernel.org,
        containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
        christian.brauner@ubuntu.com, tycho@tycho.ws, cyphar@cyphar.com
Subject: Re: [PATCH] seccomp: Add group_leader pid to seccomp_notif
Message-ID: <202005162344.74A02C2D@keescook>
References: <20200515234005.32370-1-sargun@sargun.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200515234005.32370-1-sargun@sargun.me>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 15, 2020 at 04:40:05PM -0700, Sargun Dhillon wrote:
> This includes the thread group leader ID in the seccomp_notif. This is
> immediately useful for opening up a pidfd for the group leader, as
> pidfds only work on group leaders.
> 
> Previously, it was considered to include an actual pidfd in the
> seccomp_notif structure[1], but it was suggested to avoid proliferating
> mechanisms to create pidfds[2].
> 
> [1]: https://lkml.org/lkml/2020/1/24/133
> [2]: https://lkml.org/lkml/2020/5/15/481

nit: please use lore.kernel.org/lkml/ URLs

> Suggested-by: Christian Brauner <christian.brauner@ubuntu.com>
> Signed-off-by: Sargun Dhillon <sargun@sargun.me>
> ---
>  include/uapi/linux/seccomp.h                  |  2 +
>  kernel/seccomp.c                              |  1 +
>  tools/testing/selftests/seccomp/seccomp_bpf.c | 50 +++++++++++++++++++
>  3 files changed, 53 insertions(+)
> 
> diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
> index c1735455bc53..f0c272ef0f1e 100644
> --- a/include/uapi/linux/seccomp.h
> +++ b/include/uapi/linux/seccomp.h
> @@ -75,6 +75,8 @@ struct seccomp_notif {
>  	__u32 pid;
>  	__u32 flags;
>  	struct seccomp_data data;
> +	__u32 tgid;
> +	__u8 pad0[4];
>  };

I think we need to leave off padding and instead use __packed. If we
don't then userspace can't tell when "pad0" changes its "meaning" (i.e.
the size of seccomp_notif becomes 88 bytes with above -- either via
explicit padding like you've got or via implicit by the compiler. If
some other u32 gets added in the future, user space will still see "88"
as the size.

So I *think* the right change here is:

-};
+	__u32 tgid;
+} __packed;

Though tgid may need to go above seccomp_data... for when it grows.
Agh...

_However_, unfortunately, I appear to have no thought this through very
well, and there is actually no sanity-checking in the kernel for dealing
with an old userspace when sizes change. :( For example, if a userspace
doesn't check sizes and calls an ioctl, etc, the kernel will clobber the
user buffer if it's too small.

Even the SECCOMP_GET_NOTIF_SIZES command lacks a buffer size argument.
:(

So:

- should we just declare such userspace as "wrong"? I don't think
  that'll work, especially since what if we ever change the size of
  seccomp_data...  that predated the ..._SIZES command.

- should we add a SECCOMP_SET_SIZES command to tell the kernel what
  we're expecting? There's no "state" associated across seccomp(2)
  calls, but maybe that doesn't matter because only user_notif writes
  back to userspace. For the ioctl, the state could be part of the
  private file data? Sending seccomp_data back to userspace only
  happens here, and any changes in seccomp_data size will just be seen
  as allowing a filter to query further into it.

- should GET_SIZES report "useful" size? (i.e. exclude padding?)

> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c

Yay test updates! :)

> +TEST(user_notification_groupleader)

In my first pass of review I was going to say "can you please also check
the sizes used by the ioctl?" But that triggered the above size checking
mess in my mind.

Let me look at this more closely on Monday, and I'll proposed something.
:P

Thanks!

-Kees

-- 
Kees Cook