Received: by 2002:a25:1104:0:0:0:0:0 with SMTP id 4csp474048ybr;
        Fri, 22 May 2020 10:59:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyK+O+RTBE5q+ySS1WzjB92jnZzLeHPDqFcLy5to4xqZJsDlrfpYQ4zczBcysruNUDDVich
X-Received: by 2002:a17:906:4a8c:: with SMTP id x12mr9155990eju.279.1590170396032;
        Fri, 22 May 2020 10:59:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590170396; cv=none;
        d=google.com; s=arc-20160816;
        b=And7DowgiFJrqy9SX2ZtCHmhkvOksmcob3N/eqxHUAK6s6EXcUEZ1AZg22MThdlJaP
         muo4H9bEI5s1zffK99NLhPk3QMR3INudAzbvCjpzkiEjqoVn6i+MXA6Hr3LcN/mclEbQ
         Q7Kc+c/nQeaWcoKhAa5Fppwu7uyaKAergzjkoHQCpqBmJdv9koZdoFjkdFOsFnUxVTFr
         a0Yg3WVRacu/N1ouuBOZ9aApVNlSWEaCnoNv9RyA3UnwPSaF8XYVc+pgUzYiga6c9eM9
         f62EC6uh4s8GYU6MzIwHzL37S6JUMTNARU3CF10LxZD8vTNA8OapzygGbVRYemBkQXIM
         CEUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=g7+ZinecQk+vU2tx3USRyzTX9hWXqwnrfU8Z0ao5NFs=;
        b=wR4ZCNDH9XrtKj4UxKBBvBYb1bE80xf3z1XnSXWrTgaR81bq+3zd4VZNpIpz3YtQRr
         3f1hlordVfmp3ikF8BJU9w4MPpz5zqUrRXQVLAzxHcfF9LzIv5gcH3dtqkJWSp6LdbOv
         nJf2XsuY/1WWMQzTYobEsvnnYGdbfU1LIkeelcaWfjmSBELTsYDNgLx5xKWv5iRhWWIb
         90BpIxlkmpMJZrS84/JFX8jzAUPa95TBXgT8rZ9quvnDrGmE0NnLZFS7TNCN6HpIm5U/
         dcLBZwhAJy8cx8xaOyCTEaMECnEtIsVtcLNDty9RjVT3O+zqPGIfS6hhrfQxukRVkvh7
         Ay8Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b="RM1/oCRX";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j27si5317331eja.471.2020.05.22.10.59.33;
        Fri, 22 May 2020 10:59:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b="RM1/oCRX";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730821AbgEVRze (ORCPT <rfc822;proy.cse@gmail.com> + 99 others);
        Fri, 22 May 2020 13:55:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57852 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730741AbgEVRzd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 May 2020 13:55:33 -0400
Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C572AC05BD43
        for <linux-kernel@vger.kernel.org>; Fri, 22 May 2020 10:55:32 -0700 (PDT)
Received: by mail-ej1-x644.google.com with SMTP id s21so14009542ejd.2
        for <linux-kernel@vger.kernel.org>; Fri, 22 May 2020 10:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sargun.me; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=g7+ZinecQk+vU2tx3USRyzTX9hWXqwnrfU8Z0ao5NFs=;
        b=RM1/oCRXDo9ryPT24QfNPtGbMQpFbyhAtGPByRCCCkRsAIqdrbBXgtD+Xp5SO5xHVD
         Y5nW0iZ21Q903SnBry33l1LxeDFngn3uirbmpxBPPre74pAl3PQlkFV/9PLuVlTtF12n
         59lPUphICio+7TuzrBBJrxD5HeyV9gmylFGU8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=g7+ZinecQk+vU2tx3USRyzTX9hWXqwnrfU8Z0ao5NFs=;
        b=riXQxIfb76nWs5hQtgR37UUDWeSxIia5BF3Ad9EEz7lSPUfzttqvBbkc/3urvlJlLz
         CregeJIHLTQqWVpEbyzTrAa02FJraDcfuuGYADP9N8i9QiD9JnP3+pkCAJglG9KBjE9u
         Dadpz9GP3+MSvOjsPYJahc4Of7cV+m8tObNMMoZeN3eClRGOUjfDDt1HSDWETYulw6C+
         sQShXb2z/C1smS0xsRcjS5cDfMHrzSynATtbnWPFGfER28qJPgjmjeDoY6h/lboAFE3s
         bgocW9KEkENTKtoXT+QFuNlFq5gN0C1fkErEk0cQHJ01hECAbTo1GeQf5ADmnyqfHd5T
         +ryQ==
X-Gm-Message-State: AOAM532zi/dnqjYm5amDW3k1SfjUB7HLScV0rFSwy4YwvxRg/tryUCDa
        9VBr3tvu/A/WmklP/cS6Piv0YDJdZaKWUpmlvfLRMA==
X-Received: by 2002:a17:906:9404:: with SMTP id q4mr9055108ejx.138.1590170131063;
 Fri, 22 May 2020 10:55:31 -0700 (PDT)
MIME-Version: 1.0
References: <20200515234005.32370-1-sargun@sargun.me> <87h7wc4zac.fsf@x220.int.ebiederm.org>
In-Reply-To: <87h7wc4zac.fsf@x220.int.ebiederm.org>
From:   Sargun Dhillon <sargun@sargun.me>
Date:   Fri, 22 May 2020 10:54:55 -0700
Message-ID: <CAMp4zn_v-D=gyzdWO7D2KrdZ_vct87dV_0pM5HVNE_3zDG7k8Q@mail.gmail.com>
Subject: Re: [PATCH] seccomp: Add group_leader pid to seccomp_notif
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Linux API <linux-api@vger.kernel.org>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Tycho Andersen <tycho@tycho.ws>,
        Kees Cook <keescook@chromium.org>,
        Aleksa Sarai <cyphar@cyphar.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 18, 2020 at 4:11 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
>
> Sargun Dhillon <sargun@sargun.me> writes:
>
> > This includes the thread group leader ID in the seccomp_notif. This is
> > immediately useful for opening up a pidfd for the group leader, as
> > pidfds only work on group leaders.
>
> The code looks fine (except for the name of the test), but can you
> please talk and think about this as something other than the
> group leader?
>
> The initial thread in a thread group can die, and the tgid is still
> valid for the entire group.  Because the initial thread of a
> process/thread group can die (but rarely does) that tends to result in
> kernel code that fails when thread_group_leader dies.
>
> To remove that class of bugs I am slowy working to remove the
> thread_group_leader from the kernel entirely.
>
> Looking at the names of the fields in the structure it looks like
> there is another class of bugs to be removed by renaming PIDTYPE_PID
> to PIDTYPE_TID in the kernel as well.  Just skimming the example code
> it looks very simple to get confused.
>
> Is there any chance some can modify struct seccomp_notify to do
> {
>         ...
>         union {
>                 __u32 pid;
>                 __u32 tid;
>         };
>         ...
> }
>
> Just to reduce the chance of confusion between the userspace pid and the
> in kernel pid names?
>
> Eric
Our use cases would be unaffected by this. I think this would be a wonderful
way to move forward, but I don't know if it could break userspace.

I believe Christian's team is the biggest user of this feature in OSS right now,
so he might know.

In addition, I'm not sure where you would want the thread's ID versus the
process's ID, unless you wanted to do something like SIGSTOP, and freeze
the thread to prevent it from making more progress, or being interrupted
while you go do notifier work.

Christian & Kees,
Thoughts?