Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp702445ybg; Mon, 1 Jun 2020 12:05:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzpBlWL+MkzuMguNzyz2IxllRUOvf+e2yEbHPowqACh2PAJq1QtdXWWM4xXeRpM1TQzU1De X-Received: by 2002:aa7:db47:: with SMTP id n7mr7679488edt.223.1591038300798; Mon, 01 Jun 2020 12:05:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591038300; cv=none; d=google.com; s=arc-20160816; b=vqb2L5a0C9yru6/vCjifZp0uUp82bNK59he2RASXhX4ZHhaPbzGA0D4aqwXvlqn/ov VpP12RV2ZwpXhqlPTon3r2juWtb93Y2geIs/nwy2bAEU7iwIIghD3PhSM/QpmmutsdLE +SjcZfmMKTdhwK9+UH+R23BrV6jqSaENXz2IQd52XT+9TuhskEIn4BiDvFYm6glMxs8e cw7YI9aNOKTCRUg3jyLXtdWSWRpdtFUu5wjvvkZPdhW4Urg53kyshhVxl/BIk5Yi3OMd eLc5qzUdiGc0t0aQHWPSSH/0Fv0r07TZW+OB5kjsrlh4U8MLuE7xSlplmWyL4AhHzEEG pBkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=j2AE9zA522dGubyF5+BcWXLnStw6uvUihnoLcDF2u4E=; b=N/4F+Jfd040myjQOHCz6s0jTGOA7jd5oxBQ+KHtySrSv3GGHKJoLQVSI5F4nZmHI4B lQpG6ZPnpR5K5j+mHOocjut9nQcVzxcGwhq/eqWILymeRy/rEH1Bbsc7djmam9U4/k/K rMI8YXFzNM14Od+7rUdiEt44Lb5P5Qzpi1C08SOP65JV3fmgv6votLZ8z7HYe4mDUajd jTeAjL9gl2Wew21zh3eujkeoLDKErSxodKsKOe0rh9eHuAo6fwc9C9/7Ss0ew8d3ffOa HpD3VcZnvzc/lOrm36ciZ1/YmH1G9X77iwuQSHQAT5bGNqhMYoQVHbFx2Ku6WARdCpGA KgRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=X6WKn1iB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si204912ejx.184.2020.06.01.12.04.36; Mon, 01 Jun 2020 12:05:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=X6WKn1iB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728374AbgFATCt (ORCPT + 99 others); Mon, 1 Jun 2020 15:02:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726751AbgFATCt (ORCPT ); Mon, 1 Jun 2020 15:02:49 -0400 Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3CC5C061A0E for ; Mon, 1 Jun 2020 12:02:48 -0700 (PDT) Received: by mail-ed1-x542.google.com with SMTP id s19so8083606edt.12 for ; Mon, 01 Jun 2020 12:02:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j2AE9zA522dGubyF5+BcWXLnStw6uvUihnoLcDF2u4E=; b=X6WKn1iBvcV6+zLFWptbRHbE8t8cLcnVQBkjk3mU9xb/mXLna5lzKLHhGukjDNB1g3 MQCJEtx5lsUQ4EK3cKdvthLCA5tq2Vjckr7gISvq6Czgfm349xD2ntTDpnwMOAWPusG9 Wjw8ZkICVRATuJ7eUr2rgqjdjUAoZojzieQd4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j2AE9zA522dGubyF5+BcWXLnStw6uvUihnoLcDF2u4E=; b=VU5G9C4kKpDoHwe4ktAxNfrsCLs/AqmiZzzdkejn5Xe0qgzHDo6FvoM0xUFk0UuJE9 b9cYe5+4N2q/Ysn3XUJ7QUhdxp3tUqXPQEREAcYvMH1HsJ+YKndCYvpm8uDAVT8AZiJR IVOjh95Ey0vhOOhGV1GcV817fNd5yvMay2E0J2XEfaCEQXCGdeILes/YvFPFa3lYigG8 Fwj72jMNc2vHdhVXbQ8ikY2rV4bdEJF0hRcxTZpo2+P9Uj01paypKcHQZ9OJTUkSlZRR /5oefgLbsp4H//frUcnHwc23+UBAN6OG8kEm4Outfx0t3Mbx3gCTpfbdGiHq4x34U2pQ 6LjA== X-Gm-Message-State: AOAM533LJTwgUPLkro4UTjayyblhQYtdq1H0nfxqjsTaUsqVbJkkHLfQ GznCcwQ9gnOwKanU6XI2dI3bC2d6hwaldiPVWAiCzw== X-Received: by 2002:a50:cf4c:: with SMTP id d12mr23338318edk.121.1591038167079; Mon, 01 Jun 2020 12:02:47 -0700 (PDT) MIME-Version: 1.0 References: <20200528110858.3265-1-sargun@sargun.me> <20200528110858.3265-3-sargun@sargun.me> <202005282345.573B917@keescook> <20200530011054.GA14852@ircssh-2.c.rugged-nimbus-611.internal> <202005291926.E9004B4@keescook> <20200530140837.GM23230@ZenIV.linux.org.uk> <202005300834.6419E818A7@keescook> In-Reply-To: <202005300834.6419E818A7@keescook> From: Sargun Dhillon Date: Mon, 1 Jun 2020 12:02:10 -0700 Message-ID: Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier To: Kees Cook Cc: Al Viro , Christian Brauner , Linux Containers , Aleksa Sarai , Jann Horn , Jeffrey Vander Stoep , Linux API , LKML , Chris Palmer , Robert Sesek , Tycho Andersen , Matt Denton Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 30, 2020 at 9:07 AM Kees Cook wrote: > > On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote: > > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote: > > > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we > > > move the put_user() after instead? I think cleanup would just be: > > > replace_fd(fd, NULL, 0) > > > > Bollocks. > > > > Repeat after me: descriptor tables can be shared. There is no > > "cleanup" after you've put something there. > > Right -- this is what I was trying to ask about, and why I didn't like > the idea of just leaving the fd in the table on failure. But yeah, there > is a race if the process is about to fork or something. > > So the choice here is how to handle the put_user() failure: > > - add the put_user() address to the new helper, as I suggest in [1]. > (exactly duplicates current behavior) > - just leave the fd in place (not current behavior: dumps a fd into > the process without "agreed" notification). > - do a double put_user (once before and once after), also in [1]. > (sort of a best-effort combo of the above two. and SCM_RIGHTS is > hardly fast-pth). > > -Kees > > [1] https://lore.kernel.org/linux-api/202005282345.573B917@keescook/ > > -- > Kees Cook I'm going to suggest we stick to the approach of doing[1]: 1. Allocate FD 2. put_user 3. "Receive" and install file into FD That is the only way to preserve the current behaviour in which userspace is notified about *every* FD that is received via SCM_RIGHTS. The scm_detach_fds code as it reads today does effectively what is above, in that the fd is not installed until *after* the put user. Therefore if put_user gets an EFAULT or ENOMEM, it falls through to the MSG_CTRUNC bit. The approach suggested[2] has a "change" in behaviour, in that (all in file_receive): 1. Allocate FD 2. Receive file 3. put_user Based on what Al Viro said, I don't think we can simply add step #4, being "just" uninstall the FD. [1]: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2179418.html [2]: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2179453.html