Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1650018ybh; Thu, 16 Jul 2020 19:16:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAs0QBu9nT8oZVEdeP+ekmvB2lco9uBV8A1QUpxuCjyuqUFYpcjmTOOJPPJCFUc2MI9lUh X-Received: by 2002:a17:906:d106:: with SMTP id b6mr6771568ejz.125.1594952219568; Thu, 16 Jul 2020 19:16:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594952219; cv=none; d=google.com; s=arc-20160816; b=D42hP1SEk7matoDAqjdpbIEciW0TeIBnZmPU+uj1yNZY5rditr36y1z3ple+AND02Y 6GjN3AFH+nBjfFYoIkI1L6XH1kUX9hZJO8nuhuRGY6jcOxUcHb9ZuSNpjJj+KBDV6MlJ ZMLm8eGJI/1ePRsObRQw9K6PunwdG6+jZ7tonsYEImt5/9QV4JoI2LoQx0ECmV8YdDgO BJgv1D1OEb4/lsX/O9ZtRI12YLE0AAYYapuxfFrwuIDOdQ4mQwS2OyD3gBLJBQW+TsCQ 6mYwszO58398isp/iD2N3rvNtiOfffPMcJoWJf/5U+LsPGRYI7mU9y3HyP7R8bCIaFVj 6XTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:organization:subject:cc:to:from; bh=KLFiqihZsz0e9QMvA+jjRlKAu2XYRAGg3N9BN/tSHrg=; b=FoCkQxypN+PtAJnVfH4aTBpa1qTB4zn8yemYngBNFt5egRampGG9HseNICWpalZUT6 0Y5RnS5qKOnYpUI1SEYF1jQnvfLklhUc7U+RoOMsRhj6LTJku3OUCIzdUQNb7vZhCMBZ hIomA8pl6vDk1dv5eIEOP+i6hX5HWDiMhGoekFU20Es71CapPJLOXvUAnORFYRCLj578 GUur2rJYQdWEjnIfawb12Dn+EvHIhf8UBalemxLTrtlqCuVqGZSaJmWVMBqYW4XpWzZx wZWpWceKDIZqMSQ7DJ4+VzNTeV3n5gfuTNThbAIWX6yjfLABatajmdv/W0cJVXLCTjam WCCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gz26si4135974ejb.651.2020.07.16.19.16.36; Thu, 16 Jul 2020 19:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726333AbgGQCPl (ORCPT + 99 others); Thu, 16 Jul 2020 22:15:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726130AbgGQCPl (ORCPT ); Thu, 16 Jul 2020 22:15:41 -0400 Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e3e3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 304B4C061755; Thu, 16 Jul 2020 19:15:41 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: krisman) with ESMTPSA id EA02B2A292F From: Gabriel Krisman Bertazi To: Andy Lutomirski Cc: Thomas Gleixner , LKML , kernel@collabora.com, Matthew Wilcox , Paul Gofman , Kees Cook , "open list\:KERNEL SELFTEST FRAMEWORK" , Shuah Khan Subject: Re: [PATCH v4 1/2] kernel: Implement selective syscall userspace redirection Organization: Collabora References: <20200716193141.4068476-1-krisman@collabora.com> <20200716193141.4068476-2-krisman@collabora.com> Date: Thu, 16 Jul 2020 22:15:35 -0400 In-Reply-To: (Andy Lutomirski's message of "Thu, 16 Jul 2020 17:20:02 -0700") Message-ID: <87wo32j394.fsf@collabora.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski writes: > On Thu, Jul 16, 2020 at 12:31 PM Gabriel Krisman Bertazi > wrote: >> > > This is quite nice. I have a few comments, though: > > You mentioned rt_sigreturn(). Should this automatically exempt the > kernel-provided signal restorer on architectures (e.g. x86_32) that > provide one? That seems reasonable. Not sure how easy it is to do it, though. > The amount of syscall entry wiring that arches need to do is IMO > already a bit out of hand. Should we instead rename TIF_SECCOMP to > TIF_SYSCALL_INTERCEPTION and have one generic callback that handles > seccomp and this new thing? Considering the previous suggestion from Kees to hide it inside the tracehook and Thomas rework of this path, I'm not sure what is the best solution here, but some rework of these flags is due. Thomas suggested expanding these flags to 64 bits and having some arch specific and arch-agnostic flags. With the storage expansion and arch-agnostic flags, would this still be desirable? >> +int do_syscall_user_dispatch(struct pt_regs *regs) >> +{ >> + struct syscall_user_dispatch *sd = ¤t->syscall_dispatch; >> + unsigned long ip = instruction_pointer(regs); >> + char state; >> + >> + if (likely(ip >= sd->dispatcher_start && ip <= sd->dispatcher_end)) >> + return 0; >> + >> + if (likely(sd->selector)) { >> + if (unlikely(__get_user(state, sd->selector))) >> + do_exit(SIGSEGV); >> + >> + if (likely(state == 0)) >> + return 0; >> + >> + if (state != 1) >> + do_exit(SIGSEGV); > > This seems a bit extreme and hard to debug if it ever happens. Makes sense, but I don't see a better way to return the error here. Maybe a SIGSYS with a different si_errno? Alternatively, we could revert to the previous behavior of allowing syscalls on state != 0, that existed in v1. What do you think? -- Gabriel Krisman Bertazi