Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1904970ybk; Sun, 17 May 2020 04:21:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAjuTawZeV4ILKGNmJHamYcIQCIT12EI4xenwqYWHG3gYQ3bG+YSUdpJzil3hmFqUNY1KC X-Received: by 2002:a05:6402:30ad:: with SMTP id df13mr9638153edb.339.1589714515529; Sun, 17 May 2020 04:21:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589714515; cv=none; d=google.com; s=arc-20160816; b=H9wL6RbPEGGytYYt+08lh5JEnQ5Sm6WRcqa78ZXrz9UQ5KX2PEYbaFR12II4D/8HOp oFNboNanB0yUE/DGrXeum6ut8brCHfjYkTaP59CfXnwVD+FMv7uavPghYgPc7YOoq9Fv ztxSAgDuhtm4N/Q0ijXJFK3R8kPbAKVmUU0OoTfOY+lIhkKn2fdBuOhLGwWArS/jIGez RyK2jTRhYEQFU6awUiNUeES8nRcrngtruzrxro+RAUS435iq8oO5u0MFdW0RzISkz4Ba 02/FZGZt6Mir7HDfR8S+1Q9dkbfr69h/yaVv6Rk93fNO9XWSMcl0vV4WTDzf6gOJwKAF jY7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=n4+u2L05qamryNPAo2T4bzOw/jmfe9BMj+ubXlFIP3M=; b=BdV4FiBnesKa27679sHwsx00VAMp6groBi+REfzUedHMrFsQkEC9gy0B9ZTqBvb87H Lkt/TQEFCj9BjWI1bgmGj4RiQIclGKL5gieeU2Zs5vxfU3PYQZjf5b5lkmNKPPA1bk9A LNrNiZ0HRJYgpnLA0aGVfHMvYANAypzh2380j3pAN8vKooP49cKMb4k8QNkIwtKFzgaR 1VrF/NStc/l4EbSmHpDVZ0aUDSGbzS5lbP4T5xs+XQI/Cfie0SzII66z/knYMaGH8H0E WjA8OyBe0LrzGpf8oW+8ka+G9TuBeEqVUsavmqK7tPL6SNAgSZGspB6Ta0TEq8iElc7w 5QXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b="r3/9LGFi"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id eb13si5527530edb.107.2020.05.17.04.21.32; Sun, 17 May 2020 04:21:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b="r3/9LGFi"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727898AbgEQLR6 (ORCPT + 99 others); Sun, 17 May 2020 07:17:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727845AbgEQLR6 (ORCPT ); Sun, 17 May 2020 07:17:58 -0400 Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E594C061A0C for ; Sun, 17 May 2020 04:17:57 -0700 (PDT) Received: by mail-ed1-x541.google.com with SMTP id b91so5993030edf.3 for ; Sun, 17 May 2020 04:17:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n4+u2L05qamryNPAo2T4bzOw/jmfe9BMj+ubXlFIP3M=; b=r3/9LGFiYPgwjcwX6d1PLqCTLUBo9OdlxmUFn1astZTDgXFVIOQPcFGV6gDJVgO9Yc g/U7d6pS4ayuWtjYbz4YbamZqxVRupQ7iJkTa7uDCYoXOzqonderuwAURCVreToE1SUo Dv3B+yX4s3fvWOWBSqAKZiXZcBA1NWHB0EUmg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n4+u2L05qamryNPAo2T4bzOw/jmfe9BMj+ubXlFIP3M=; b=FB8BkPIDSRjZV0KHGwXmrPwMgxrm3MucZ2vCW4CJI6s0Fk+PoTpHqvpjOrmYDxH4x3 lQqQ2yWf0VD9nc2YSaAj+GyoSdl9nN0iU4pA3g2lGtdHSw1JIeKGbA0ca7lTvn/om2QY x3onhXoscAzE5ZbvB8CSzuPDnRQy7jAva94i07sTpSqg2l/v/WscBne7dy5rD3O7WXuc +hioIOkdTEwm8UWENBy31vWL9rs+neG4SwUG8orgg+/GcXvK5ED8jyrL3nv5eaF/8D3g QoLFMbxo+ISnw+TthkqxeV2nBiwCs4G8052oRAwhB42cUsz/XgnZ3D0cC+kdnVFoOFcR K4IQ== X-Gm-Message-State: AOAM533qlQ7kOkcKsfIFLn/1Wxi10MJnr6fK/dI4RkjbPkZYJsBZwy4w dAdn9/H4N3zIQY/Mtiks0WzloGbsXkn4I5KJ1OVA6g== X-Received: by 2002:aa7:c617:: with SMTP id h23mr8804881edq.305.1589714275547; Sun, 17 May 2020 04:17:55 -0700 (PDT) MIME-Version: 1.0 References: <20200515234005.32370-1-sargun@sargun.me> <202005162344.74A02C2D@keescook> In-Reply-To: <202005162344.74A02C2D@keescook> From: Sargun Dhillon Date: Sun, 17 May 2020 04:17:19 -0700 Message-ID: Subject: Re: [PATCH] seccomp: Add group_leader pid to seccomp_notif To: Kees Cook Cc: LKML , Linux Containers , Linux API , Christian Brauner , Tycho Andersen , Aleksa Sarai Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 17, 2020 at 12:17 AM Kees Cook wrote: > > On Fri, May 15, 2020 at 04:40:05PM -0700, Sargun Dhillon wrote: > > This includes the thread group leader ID in the seccomp_notif. This is > > immediately useful for opening up a pidfd for the group leader, as > > pidfds only work on group leaders. > > > > Previously, it was considered to include an actual pidfd in the > > seccomp_notif structure[1], but it was suggested to avoid proliferating > > mechanisms to create pidfds[2]. > > > > [1]: https://lkml.org/lkml/2020/1/24/133 > > [2]: https://lkml.org/lkml/2020/5/15/481 > > nit: please use lore.kernel.org/lkml/ URLs > > > Suggested-by: Christian Brauner > > Signed-off-by: Sargun Dhillon > > --- > > include/uapi/linux/seccomp.h | 2 + > > kernel/seccomp.c | 1 + > > tools/testing/selftests/seccomp/seccomp_bpf.c | 50 +++++++++++++++++++ > > 3 files changed, 53 insertions(+) > > > > diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h > > index c1735455bc53..f0c272ef0f1e 100644 > > --- a/include/uapi/linux/seccomp.h > > +++ b/include/uapi/linux/seccomp.h > > @@ -75,6 +75,8 @@ struct seccomp_notif { > > __u32 pid; > > __u32 flags; > > struct seccomp_data data; > > + __u32 tgid; > > + __u8 pad0[4]; > > }; > > I think we need to leave off padding and instead use __packed. If we > don't then userspace can't tell when "pad0" changes its "meaning" (i.e. > the size of seccomp_notif becomes 88 bytes with above -- either via > explicit padding like you've got or via implicit by the compiler. If > some other u32 gets added in the future, user space will still see "88" > as the size. > I've had previous feedback about using "packed". See: https://lore.kernel.org/lkml/87o8w9bcaf.fsf@mid.deneb.enyo.de/ https://lore.kernel.org/lkml/a328b91d-fd8f-4f27-b3c2-91a9c45f18c0@rasmusvillemoes.dk/ > So I *think* the right change here is: > > -}; > + __u32 tgid; > +} __packed; > > Though tgid may need to go above seccomp_data... for when it grows. > Agh... (How) can seccomp_data grow safely, even with this extensibility mechanism? > > _However_, unfortunately, I appear to have no thought this through very > well, and there is actually no sanity-checking in the kernel for dealing > with an old userspace when sizes change. :( For example, if a userspace > doesn't check sizes and calls an ioctl, etc, the kernel will clobber the > user buffer if it's too small. > > Even the SECCOMP_GET_NOTIF_SIZES command lacks a buffer size argument. > :( > > So: > > - should we just declare such userspace as "wrong"? I don't think > that'll work, especially since what if we ever change the size of > seccomp_data... that predated the ..._SIZES command. > > - should we add a SECCOMP_SET_SIZES command to tell the kernel what > we're expecting? There's no "state" associated across seccomp(2) > calls, but maybe that doesn't matter because only user_notif writes > back to userspace. For the ioctl, the state could be part of the > private file data? Sending seccomp_data back to userspace only > happens here, and any changes in seccomp_data size will just be seen > as allowing a filter to query further into it. Will we ever grow seccomp_data? I suggest we throw away the _SIZES api, and just introduce RECV2, which sends back a known, fixed format, and deprecate these dynamically sized uapi shenanigans. (Queue RECV3, etc..) Maybe we do something like perf_event_open, where there's a read_format, and that's used by the user to determine how big of a response / fields they want to get? > > - should GET_SIZES report "useful" size? (i.e. exclude padding?) > > > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c > > Yay test updates! :) > > > +TEST(user_notification_groupleader) > > In my first pass of review I was going to say "can you please also check > the sizes used by the ioctl?" But that triggered the above size checking > mess in my mind. > > Let me look at this more closely on Monday, and I'll proposed something. > :P To summarize my set of ideas: 1. We take the ptrace-style API, where we have a request to get the tgid of a given request ID (or any new / extensible field) 2. We add a perf_event_open style API, where you have to tell it what fields to include in the response 3. We introduce RECV2 [through N] 4. We never extend seccomp_data, and just continue to append things to the API 5. We rev the API _once_ and unroll seccomp_data, and make it so that new members have to be *asked for*, rather than are implicitly included. > > Thanks! > > -Kees > > -- > Kees Cook