Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp1457437ybm; Sat, 30 May 2020 09:24:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+PtUe3LbMhLvoTl8cMpnS1ZLZBIUzfyobQYOE+xgIcnFyBGnYRugh8a9srYoMwN3MGNhV X-Received: by 2002:aa7:c405:: with SMTP id j5mr13904014edq.314.1590855857931; Sat, 30 May 2020 09:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590855857; cv=none; d=google.com; s=arc-20160816; b=Rtz0GOVmsEjEMpE1+ZFXvkOZ6jZRrzwwqpsnkeOWvSX/gT3z2SrwliieoSrQQilOV4 AHS+mHaPn/ipx43RDWciYv4JEbDA1qCtR971QGzWzSfpWbHaMjdF9OUVWkDpCyBDJUPp OY9QnZks6tKxKeY479L47WaQkZtj60IvXPIr5UHnlar3LLIcoDMmw+ZBXkKwfPZbUgVV 9mSMrvE8ZClfmsa9vwDs5QWxnRG0GzLG/MscjnLF0tt0nkB2FQq7LOfWpQQymaCIDtBB nCFtKVWbZ0Dk+MiSCNHBUBuo84882LpdnpdDi56fPTNy39kogS77rH+DIvDV2BszD1q+ A/xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=MT/UjNNlipYtJ8mcDwp1aNSkDYv30O1Tk7up37eOUAg=; b=L+eRN1l0btf00UHOBvQgJaLEEG2jFCH3upMhiGTWk/1djiacM5O3GjhAh3flyc/kIj Lan3V28QDDKmx5DHj21k7VSjm5FwIHLITubmMqbWVYxpKz8nFUYUn1CAtS6U8ewZR2c5 sjx+fl5trdkuNuObKrEeH0KMgNurmAaPYK0k1USWs9G0uO9Omzd4A+qdUcdBEZJNysSk fmfJ8NmV5IdEinWSPhHQVOW121B3wryKW+ihrItOl9a59DUZC6cDEpa8bRKOaXbFePuU VjfSSc+zaWOcwjYnLRdsrz7NaA9uHFyGNJXDZHaIMl2ZSNq+OmFUhpZrR0pVYA534wlb VA9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a23si7716506ejk.653.2020.05.30.09.23.54; Sat, 30 May 2020 09:24:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729107AbgE3QV3 (ORCPT + 99 others); Sat, 30 May 2020 12:21:29 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:50436 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728927AbgE3QV3 (ORCPT ); Sat, 30 May 2020 12:21:29 -0400 Received: from ip5f5af183.dynamic.kabel-deutschland.de ([95.90.241.131] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jf4Ee-0000Jx-FW; Sat, 30 May 2020 16:21:24 +0000 Date: Sat, 30 May 2020 18:21:23 +0200 From: Christian Brauner To: Kees Cook Cc: rsesek@google.com, palmer@google.com, jannh@google.com, jeffv@google.com, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Matt Denton , Al Viro , linux-api@vger.kernel.org Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier Message-ID: <20200530162123.eqfgoc7lkyyxcmut@wittgenstein> References: <20200528110858.3265-1-sargun@sargun.me> <20200528110858.3265-3-sargun@sargun.me> <202005282345.573B917@keescook> <20200530011054.GA14852@ircssh-2.c.rugged-nimbus-611.internal> <202005291926.E9004B4@keescook> <20200530035817.GA20457@ircssh-2.c.rugged-nimbus-611.internal> <202005292223.1701AB31@keescook> <20200530141329.tjrtrdy66jhqzojy@wittgenstein> <202005300911.AAE71F1955@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <202005300911.AAE71F1955@keescook> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 30, 2020 at 09:14:50AM -0700, Kees Cook wrote: > On Sat, May 30, 2020 at 04:13:29PM +0200, Christian Brauner wrote: > > On Fri, May 29, 2020 at 10:47:12PM -0700, Kees Cook wrote: > > > Oh hey! Look at scm_detach_fds_compat(). It needs this too. (And it's > > > missing the cgroup tracking.) That would fix: > > > > > > 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly") > > > d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly") > > > > > > So, yes, let's get this fixed up. I'd say first fix the missing sock > > > update in the compat path (so it can be CCed stable). Then fix the missing > > > > send this patch to net. > > > > > sock update in pidfd_getfd() (so it can be CCed stable), then write the > > > > send this patch to me. > > > > > helper with a refactoring of scm_detach_fds(), scm_detach_fds_compat(), > > > > this would be net-next most likely. > > > > > and pidfd_getfd(). And then add the addfd seccomp user_notif ioctl cmd. > > > > If you do this first, I'd suggest you resend the series here after all > > this has been merged. We're not in a rush since this won't make it for > > the 5.8 merge window anyway. By the time the changes land Kees might've > > applied my changes to his tree so you can rebase yours on top of it > > relieving Kees from fixing up merge conflicts. > > > > About your potential net and net-next changes. Just in case you don't > > know - otherwise ignore this - please read and treat > > https://www.kernel.org/doc/Documentation/networking/netdev-FAQ.txt > > as the gospel. Also note, that after this Sunday - assuming Linus > > releases - net-next will be closed until the merge window is closed, > > i.e. for _at least_ 2 weeks. After the merge window closes you can check > > http://vger.kernel.org/~davem/net-next.html > > which either has a picture saying "Come In We're Open" or a sign saying > > "Sorry, We're Closed". Only send when the first sign is up or the wrath > > of Dave might hit you. :) > > Yeah, timing is awkward here. I was originally thinking it could all > just land via seccomp (with appropriate Acks). Hmmm. I don't particularly care so sure. :) Christian