Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp579ybg; Tue, 9 Jun 2020 14:30:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsj37hsVpYbk+AtC/xwsUdZhvLrT6jJk83yMdhDFd3qntDP4wEN/a8E/9XgE8c/KdWRN9t X-Received: by 2002:a17:906:a387:: with SMTP id k7mr381768ejz.408.1591738238812; Tue, 09 Jun 2020 14:30:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591738238; cv=none; d=google.com; s=arc-20160816; b=pR64u0ZGNKp/iEhMNpMNGQ4p6jFJ6bZ+o9h16giEzEzsNj7sOX2ltE+F/GG1tNO2M+ 4jQukW5rCCXlAEN8ncOq8IuBNela90ah2GrHnfxUrqudbBvPQRGgrddSREb5tvDxxTlF B1qhOpO4a8CDd8yI/m5earJkusX3nKSxinQTGw+arNdmq1ANSnYM7GzArHRjQ8nWBOjE Ei4p8aCEeAzkljLAFX4JM0yXHFicxbv9ORI5XAs1rwGA3kA0v7e724VHYhzf4Av4DF9G jQHjjpU5kUPOSp14+u02jIMOmszdB5jlYE6QQ2a/vSQ0BjzEptjqnzSHFVwFdr4zts6E utSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:from:cc:to:subject :content-transfer-encoding:mime-version:references:in-reply-to :user-agent:date; bh=WuZRjUFYnwIBcHo4HoAcFCMks7OI1MejKEugJcHTB/0=; b=FJtBKixAGoQteS0YqAlZXFNYUk/4IIYBgn42MLOyHlD/TGWuli1F95ksToAmTd5HGI e3gt4A5uzt9tUL7j8AWBYtdLLOAC2nmuedNkgumWY2Yk6mQVo02fJT3KAD4tgGngHQnT fliCqba3KIie2mFPN/swP4/sSfXrsDZzy2LUmOq2NuGO9yUo9/1LkEkqx6XfBOprTAdX yMSrcJTzEZbS3eAAhhZmLqiKC6T00vKwN0032eQMHwfRate2q673C8Vq4nvasydW6E+S Wrdcp2C2wrHEEncNOulPFg8NRBfAaFe9kC57LaUdq8yqwIzHT0N89DKsth8nbVjs+Q63 0KQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f6si11580690eds.91.2020.06.09.14.30.14; Tue, 09 Jun 2020 14:30:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726992AbgFIV1h convert rfc822-to-8bit (ORCPT + 99 others); Tue, 9 Jun 2020 17:27:37 -0400 Received: from mail-ej1-f68.google.com ([209.85.218.68]:33845 "EHLO mail-ej1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727831AbgFIV1g (ORCPT ); Tue, 9 Jun 2020 17:27:36 -0400 Received: by mail-ej1-f68.google.com with SMTP id l27so245452ejc.1 for ; Tue, 09 Jun 2020 14:27:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:user-agent:in-reply-to:references :mime-version:content-transfer-encoding:subject:to:cc:from :message-id; bh=kwegRFKyFAuFQmSuL2ErdFUJzcaqDng93wl658gpK9o=; b=pigi3n8+A6OMNxndHis+M5Dsv1GSwFEs5S3jiwIPHDGpSs63UxDkzTzPAsTT6tz5Oi WSQucFEHytQKIlZP4hSLVbXG6h0RgwJhxcfSJfyqRFgIACNpnaWA0Xk/jVarKg7L0jBZ Y/gPrrhl8EQsQD1t26oke+ggR87CPJYV+I8xxTQ5t92yc1f/cLPZC0lqtlHNoMespWbU HZdoyt34CBnkTeEFD0mjsu6h9+CRuauGa2fvx4drXYvpeIBNwc7SKZ3iZOOaqHMxGAZJ hiPvyEf0JOx/Cn0FF1XaV/XgQYeRY23NdlHfpKrdKRgzhhmSip1CVAuNmDNFJsvIWuAv RWbw== X-Gm-Message-State: AOAM530TTGShKoDsp5IukOdOj8L99exkBqspTrrWVLc9E2JORHCKyrPc OWCbaotT0vbyAyMtapO6eHjgTA== X-Received: by 2002:a17:906:784c:: with SMTP id p12mr333740ejm.123.1591738054450; Tue, 09 Jun 2020 14:27:34 -0700 (PDT) Received: from Google-Pixel-3a.fritz.box (ip5f5af183.dynamic.kabel-deutschland.de. [95.90.241.131]) by smtp.gmail.com with ESMTPSA id b21sm14245223ejz.28.2020.06.09.14.27.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 09 Jun 2020 14:27:33 -0700 (PDT) Date: Tue, 09 Jun 2020 23:27:30 +0200 User-Agent: K-9 Mail for Android In-Reply-To: <202006091346.66B79E07@keescook> References: <20200603011044.7972-1-sargun@sargun.me> <20200603011044.7972-2-sargun@sargun.me> <20200604012452.vh33nufblowuxfed@wittgenstein> <202006031845.F587F85A@keescook> <20200604125226.eztfrpvvuji7cbb2@wittgenstein> <20200605075435.GA3345@ircssh-2.c.rugged-nimbus-611.internal> <202006091235.930519F5B@keescook> <20200609200346.3fthqgfyw3bxat6l@wittgenstein> <202006091346.66B79E07@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Subject: Re: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes To: containers@lists.linux-foundation.org, Kees Cook CC: Giuseppe Scrivano , Robert Sesek , Chris Palmer , Jann Horn , Greg Kroah-Hartman , Daniel Wagner , linux-kernel@vger.kernel.org, Matt Denton , John Fastabend , linux-fsdevel@vger.kernel.org, Tejun Heo , Al Viro , cgroups@vger.kernel.org, stable@vger.kernel.org, "David S . Miller" From: Christian Brauner Message-ID: <037A305F-B3F8-4CFA-B9F8-CD4C9EF9090B@ubuntu.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On June 9, 2020 10:55:42 PM GMT+02:00, Kees Cook wrote: >On Tue, Jun 09, 2020 at 10:03:46PM +0200, Christian Brauner wrote: >> I'm looking at __scm_install_fd() and I wonder what specifically you >> mean by that? The put_user() seems to be placed such that the install >> occurrs only if it succeeded. Sure, it only handles a single fd but >> whatever. Userspace knows that already. Just look at systemd when a >msg >> fails: >> >> void cmsg_close_all(struct msghdr *mh) { >> struct cmsghdr *cmsg; >> >> assert(mh); >> >> CMSG_FOREACH(cmsg, mh) >> if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type >== SCM_RIGHTS) >> close_many((int*) CMSG_DATA(cmsg), >(cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int)); >> } >> >> The only reasonable scenario for this whole mess I can think of is sm >like (pseudo code): >> >> fd_install_received(int fd, struct file *file) >> { >> sock = sock_from_file(fd, &err); >> if (sock) { >> sock_update_netprioidx(&sock->sk->sk_cgrp_data); >> sock_update_classid(&sock->sk->sk_cgrp_data); >> } >> >> fd_install(); >> } >> >> error = 0; >> fdarray = malloc(fdmax); >> for (i = 0; i < fdmax; i++) { >> fdarray[i] = get_unused_fd_flags(o_flags); >> if (fdarray[i] < 0) { >> error = -EBADF; >> break; >> } >> >> error = security_file_receive(file); >> if (error) >> break; >> >> error = put_user(fd_array[i], ufd); >> if (error) >> break; >> } >> >> for (i = 0; i < fdmax; i++) { >> if (error) { >> /* ignore errors */ >> put_user(-EBADF, ufd); /* If this put_user() fails and the first >one succeeded userspace might now close an fd it didn't intend to. */ >> put_unused_fd(fdarray[i]); >> } else { >> fd_install_received(fdarray[i], file); >> } >> } > >I see 4 cases of the same code pattern (get_unused_fd_flags(), >sock_update_*(), fd_install()), one of them has this difficult >put_user() >in the middle, and one of them has a potential replace_fd() instead of >the get_used/fd_install. So, to me, it makes sense to have a helper >that >encapsulates the common work that each of those call sites has to do, >which I keep cringing at all these suggestions that leave portions of >it >outside the helper. > >If it's too ugly to keep the put_user() in the helper, then we can try >what was suggested earlier, and just totally rework the failure path >for >SCM_RIGHTS. > >LOL. And while we were debating this, hch just went and cleaned stuff >up: > >2618d530dd8b ("net/scm: cleanup scm_detach_fds") > >So, um, yeah, now my proposal is actually even closer to what we >already >have there. We just add the replace_fd() logic to __scm_install_fd() >and >we're done with it. Cool, you have a link? :) Christian