Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp1121311ybm; Fri, 29 May 2020 22:49:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyu9VXioggZusP8K/30FnTF/WEI6XIX/x7D8oPZJSMm5vxQPINltQbp2yFSCf4fkxRhNBza X-Received: by 2002:aa7:cb53:: with SMTP id w19mr11256990edt.328.1590817773992; Fri, 29 May 2020 22:49:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590817773; cv=none; d=google.com; s=arc-20160816; b=QLdX1qhWwd1e/vVPK/VWLtkCk/lA3Brxr+3uYAsIL30+lMygC3pNeVXDPQU7d32e/T zG5aiHfPsWyIZiSS8u9oB8I3KkV9xzYc4m3FisiHCQJUxEQy2dg6mqj4utiAROtrEV5Y /KZv+fE3Z5Ap4jj726HZ0VqCadRUk27jWTEzRvMZC9rnQvKbXiSUYtYzbkEekLevwYZJ ozMCquAj3BK43i5Z/GUi9fYbHj6orn0SWtmF3pDMRrjy/RHt4TkBC7klw5Lfnx7pJN44 VkWSHFbcMoU/Yn5jEfUyR5v6SeCCoZYRdoWqLVGl+BeRO3CQr+V0iS1iHTEgwPo/53C4 CbQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=BoA/INZroFtItV/iUCz8gafV2NQduUm36i/XBcyO+xs=; b=eegSh4VwbXDinc1Md4n4jtTEfDoEJlw6agd1bL/3iO0fCnkZ+mwi2mYNjThH7Dyb+m R+c2Yhh88iag43pBhhw5lc96CNWfluAIddLuNCLzduVLCYhHPen6DCiRUwyn9EGcG+J1 GIPgE+B0fCD3BN/jERyMfgsWHCEuuhjQgQvBP9Pt58Q+tkXDRkeCWcd38lF5aZ470Yy+ ZC14QrxY2mo6zxVRl1oOORBHsMGupd0Sj8buTPRki2zsc4KBf6wjdUf744Rk8g+49TWW oXafwoAuiZA47n4qY14REjE0iyw1d8Rkatmh66eHjC56TdnWnmzNIESWw9DjhgK6n8x7 U7fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=IdNDjOgm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s15si4354005ejz.132.2020.05.29.22.49.08; Fri, 29 May 2020 22:49:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=IdNDjOgm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726028AbgE3FrQ (ORCPT + 99 others); Sat, 30 May 2020 01:47:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725814AbgE3FrP (ORCPT ); Sat, 30 May 2020 01:47:15 -0400 Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C0F5C08C5C9 for ; Fri, 29 May 2020 22:47:15 -0700 (PDT) Received: by mail-pg1-x542.google.com with SMTP id d10so895499pgn.4 for ; Fri, 29 May 2020 22:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=BoA/INZroFtItV/iUCz8gafV2NQduUm36i/XBcyO+xs=; b=IdNDjOgmnKyOBVD4OE2Bbr+JVCa3HtAad+vPplvuE/NQ2TQBeUBKuN3eOnYe9ko9vz kVRWouLyEZhhX5piOnBKhSPr7n4REkNha/cIX3tZ9HpQsham7Pyguyvl+85b9EThRi+v 1KpF/zXkxX927vBWirEKwoQLi/urVq5wnNnzo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=BoA/INZroFtItV/iUCz8gafV2NQduUm36i/XBcyO+xs=; b=UAVwajc05bZ2bifDlvb2KdKcilOmKZGGEJmNnY2aIBukUqqjAfjV90X5qTQY3c/QoL LfClNWC7z5UgiOE/bgpd1IF7sSQrY1IX03zWOdsgtFZ2G/Un5wOC8PYaE9kGM77xLrML 7KmtGbq9DNd2+aynsb1wybKbKQKqxeHeBHKLpP0h0jk9EPu6EviaoWF/F2GyxCUhKWOf V28MALYjTaeT7BnCFsaCUe1QGgIw4jmBy+0QhMJc+itLbGmhlP/+U4eSmVgOgOZkeyTk NWkS79zjffA9NmPG6vjuf/5I33xO/8ApynvEJTcnsEe1J6bvWZYs78wybi6TWX1i0siL SZmw== X-Gm-Message-State: AOAM533eCa7n+eHAGbBwj//OE54FatVyW3TYZ7s0mgLThSurWkTr6fqL 190jxKbWoIZDGvwtAPdcrfsJHQ== X-Received: by 2002:a62:b402:: with SMTP id h2mr12316432pfn.221.1590817634467; Fri, 29 May 2020 22:47:14 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y5sm8630017pff.150.2020.05.29.22.47.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2020 22:47:13 -0700 (PDT) Date: Fri, 29 May 2020 22:47:12 -0700 From: Kees Cook To: Sargun Dhillon Cc: christian.brauner@ubuntu.com, containers@lists.linux-foundation.org, cyphar@cyphar.com, jannh@google.com, jeffv@google.com, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, palmer@google.com, rsesek@google.com, tycho@tycho.ws, Matt Denton , Al Viro Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier Message-ID: <202005292223.1701AB31@keescook> References: <20200528110858.3265-1-sargun@sargun.me> <20200528110858.3265-3-sargun@sargun.me> <202005282345.573B917@keescook> <20200530011054.GA14852@ircssh-2.c.rugged-nimbus-611.internal> <202005291926.E9004B4@keescook> <20200530035817.GA20457@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200530035817.GA20457@ircssh-2.c.rugged-nimbus-611.internal> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 30, 2020 at 03:58:18AM +0000, Sargun Dhillon wrote: > Isn't the "right" way to do this to allocate a bunch of file descriptors, > and fill up the user buffer with them, and then install the files? This > seems to like half-install the file descriptors and then error out. > > I know that's the current behaviour, but that seems like a bad idea. Do > we really want to perpetuate this half-broken state? I guess that some > userspace programs could be depending on this -- and their recovery > semantics could rely on this. I mean this is 10+ year old code. Right -- my instincts on this are to leave the behavior as-is. I've been burned by so many "nothing could possible rely on THIS" cases. ;) It might be worth adding a comment (or commit log note) that describes the alternative you suggest here. But I think building a common helper that does all of the work (and will get used in three^Wfour places now) is the correct way to refactor this. Oh hey! Look at scm_detach_fds_compat(). It needs this too. (And it's missing the cgroup tracking.) That would fix: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly") d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly") So, yes, let's get this fixed up. I'd say first fix the missing sock update in the compat path (so it can be CCed stable). Then fix the missing sock update in pidfd_getfd() (so it can be CCed stable), then write the helper with a refactoring of scm_detach_fds(), scm_detach_fds_compat(), and pidfd_getfd(). And then add the addfd seccomp user_notif ioctl cmd. -- Kees Cook