Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp1371976ybm; Sat, 30 May 2020 07:00:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwf+e/9807SsaHyQie8XR2nQks6F3UTxI7MVgdv4CBNDvCl0YurbeVatg4LLNtKvzyVF2RQ X-Received: by 2002:a17:906:cd18:: with SMTP id oz24mr11559273ejb.179.1590847253910; Sat, 30 May 2020 07:00:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590847253; cv=none; d=google.com; s=arc-20160816; b=HAO/vf1JB7/8tcDkCgJMstAHZJcc54y38OepgHbOafQbD6wygAan38mkj7qKJra7TZ pofUUeMH9iqkc0/mV+87Kq7uC+FP6xjD8HVqTcutn2bAZym4MsByuLP6hR9UiVtZmsZH bfmIx/s+LbB1mfsr36obMfy8bIK2fxV3EtS49MwAU1qrAAzkj+f5uwWauUYTAubBXL8I CWJWp/4Hh1twx8yZJHKg2fmS+tzOdaaV7oko9bH1puI0Of5/vw+a/JUN/A6kAOJpR3uF tPHSwj5Vo2KxbUg790lhZb3LMyjmXXafGbnYT1bocLm8B+FPcSvRKFPzDg0qsfwyj/aT o60w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=m2fuM3vK1VteOoRuMhXqvxxF28fZpdry8iowJtzEXxc=; b=P8UV+ww7GJMvqIidMFoTZf6fuhOutGP5IFtrK0cX8A/sBtu1ZY7aKbSm0SDNQt1YSI +/1HsurexCpFxAIVb8jJYS2ypn3p1QLCeGxeYw0a1ItG7PSXyXPMUj3n+TIz/+pcvg27 55yiIUjFhTYmvsfAcIHHIk+XfFKaFuhoi6EFsfiMo09EXOKK0I1g2YtOjyV2aFR6Oa4j jNUGmt7x3kdjb9FZAiMNrbDaw1jKPbsUo8eCYSL0MpcqvqqoSiCxyoYtF6+jEOOU3Hen fRj2DGZcI0VEUWyuHjCfntJAUC2LtaNjb7v2KiGdPjDmLUge87b7ayAY6R4iy5rKPbmf STWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w8si2873012ejb.473.2020.05.30.07.00.28; Sat, 30 May 2020 07:00:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728999AbgE3N6f (ORCPT + 99 others); Sat, 30 May 2020 09:58:35 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:48282 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728769AbgE3N6f (ORCPT ); Sat, 30 May 2020 09:58:35 -0400 Received: from ip5f5af183.dynamic.kabel-deutschland.de ([95.90.241.131] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jf20K-0008Tw-Cb; Sat, 30 May 2020 13:58:28 +0000 Date: Sat, 30 May 2020 15:58:27 +0200 From: Christian Brauner To: Jann Horn Cc: Kees Cook , Sargun Dhillon , Linux Containers , Aleksa Sarai , Jeffrey Vander Stoep , Linux API , kernel list , Chris Palmer , Robert Sesek , Tycho Andersen , Matt Denton , Al Viro Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier Message-ID: <20200530135827.cxltfmiqara4yaki@wittgenstein> References: <20200528110858.3265-1-sargun@sargun.me> <20200528110858.3265-3-sargun@sargun.me> <202005282345.573B917@keescook> <20200530011054.GA14852@ircssh-2.c.rugged-nimbus-611.internal> <202005291926.E9004B4@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 30, 2020 at 05:17:24AM +0200, Jann Horn wrote: > On Sat, May 30, 2020 at 4:43 AM Kees Cook wrote: > > I mean, yes, that's certainly better, but it just seems a shame that > > everyone has to do the get_unused/put_unused dance just because of how > > SCM_RIGHTS does this weird put_user() in the middle. > > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we > > move the put_user() after instead? > > Honestly, I think trying to remove file descriptors and such after > -EFAULT is a waste of time. If userspace runs into -EFAULT, userspace Agreed, we've never bothered with trying to recover from EFAULT. Just look at kernel/fork.c:_do_fork(): if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, args->parent_tid); we don't even bother even though we technically could. > is beyond saving and can't really do much other than exit immediately. > There are a bunch of places that will change state and then throw > -EFAULT at the end if userspace supplied an invalid address, because > trying to hold locks across userspace accesses just in case userspace > supplied a bogus address is kinda silly (and often borderline > impossible). > > You can actually see that even scm_detach_fds() currently just > silently swallows errors if writing some header fields fails at the > end. There's really no point in trying to save a broken scm message imho.