Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp337088pxu; Thu, 15 Oct 2020 05:23:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyh8f4LLdUZn5Wl1ZPhs8FCHviFuI4iAp3S5eGbtbWsvl7D+rbdzofkMlJqEenkQdXh6NpE X-Received: by 2002:a17:906:1b01:: with SMTP id o1mr4328640ejg.539.1602764612605; Thu, 15 Oct 2020 05:23:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602764612; cv=none; d=google.com; s=arc-20160816; b=vF0wEsNxBVF3sXm2v5lJADYQ+Egg1FvSYdAFV6NG9RE3Upz07Xh527D/sjSrO7lERN tn57OR1+lQhHaACtmpJr6IZGZ9QUC/j/NeLZlDDV+DUwOC6ZRNVBeFngN1zWDPzdu2ed bO2tMvKYEr+6xgsycA7tDhOpvoMMtFMSkXD3qCWUOJi42NXmgVDbcyReEL5CBCf3+Mrz gADw2Cdsbo34Dq9XqHusgCZOqo9oVAizAsek3T9rw+Cd/2M8h9+dvpvZikmBOxt+1/ez dlcu16bDuhG1YF2x4q+H+V86wrU9rISmA3OElyCwdSwGRaGzk510spTgoFw3B5A1nyrx jTCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:cc:dkim-signature; bh=3I0P08vNaQzgXoL9rCvvnpgGw7KyV9D8ViZvp/Lcn6s=; b=Dar6S9jTFeiTJSYwUZ/j3re65YDHHNWmH5575oWwlEngHDO1gqUtXysSs2vktrAAOY mrzQ5h+Udx1nJc7On1iAcqDX1JPW9XYW76rg6S3hNpPZdYWKy/G2Yf9IzWJgzW0zcvL7 IDlXm4m8E084RCUcgCCDiy9WwqSHxZGy4NXKC+Rs9ABZgzLfvfrkH4irK5CHD/Rvh6KZ 4eLuBDddXQW1icjiZKdClPjTWh4/Jgj0V1fzRxI8UpIA/aa9lnT+Nbm9mrAmaIiKF+R4 SrVOoGBH/0IWjFF/ZzQFWh9UPvtzfZsNBBbnVZwQzTYn6meGmz6n5B+mceviBQ4An4G8 O48Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GA8BbyLO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h20si1914654eja.402.2020.10.15.05.23.02; Thu, 15 Oct 2020 05:23:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GA8BbyLO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728230AbgJOLYn (ORCPT + 99 others); Thu, 15 Oct 2020 07:24:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727736AbgJOLYG (ORCPT ); Thu, 15 Oct 2020 07:24:06 -0400 Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E4559C061755; Thu, 15 Oct 2020 04:24:05 -0700 (PDT) Received: by mail-wr1-x442.google.com with SMTP id n15so3011677wrq.2; Thu, 15 Oct 2020 04:24:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=cc:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=3I0P08vNaQzgXoL9rCvvnpgGw7KyV9D8ViZvp/Lcn6s=; b=GA8BbyLOTTUBvhKPL+heprvfYzsNBiCMAxJMYy0/AJJtI0lP01IeXgRR8yWgnVEDLc 8ldtbGqRI9P2uAUoL03HFwi5dWLVFJnZ3Aetj62avK/6Mo5xxpfsMHQy2BrvzpkyQgaR uYAskzZaFS+t+kkUVZJBnOeWGt4EqF/javGOQVJ2uEApe97rh5U5Zk16xL7XRhfYKPLE gtlsZvRXR0yfy9w9K8KFZp2zpixzNvKFfpTMhfHa/BcFgiuoc/POCluJybykDFIyfpXd gzaDaIDqZS7MuqVxMLrzVTye//Cs00bcFZpKDMZ/jlpPKK2iL+Hn5ImKPj5RW+deFPMY 1PvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=3I0P08vNaQzgXoL9rCvvnpgGw7KyV9D8ViZvp/Lcn6s=; b=BlA7mMVWPOwbuSgWiCVcztegh0VxCm8CVl+pPOlBIvi4mL7sK/wWN6oMnf5qPTx0FK F+E0Hg3z42oDJiCBJBrHckoN3F7CjU/2st2EP1rX88mU+h9eiYvYU0tMynhPtkd7Lytc C7y1gBLWsAlhIrKVrt5vM9bD2P/sxLonnupqt86ytVixNY1bBHDAVXfAiyjsHUpdeYdv 9h+wMHKOUoCHE/9h9f9T1Kph6Hv7lnNLguRSkAxv/ub7ftEEp0ocVNB1YfpNKyA0T50Z ROviLHwNeF82cuy6GZ+AbUMI2Qo1GuA/SUiufImcI3BmPYpYBmu27ipm5pms3bV9LLeU ncrA== X-Gm-Message-State: AOAM530oO6nLdW7qXeeNE8yJwgUHk/CddyfxVmAAw89Ve1DB4ZGgaHxf nrHaP764DyhuV4F4zpBN4k4= X-Received: by 2002:a05:6000:18d:: with SMTP id p13mr3770081wrx.248.1602761044681; Thu, 15 Oct 2020 04:24:04 -0700 (PDT) Received: from [192.168.1.10] (static-176-175-73-29.ftth.abo.bbox.fr. [176.175.73.29]) by smtp.gmail.com with ESMTPSA id t83sm4373249wmf.39.2020.10.15.04.24.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 15 Oct 2020 04:24:03 -0700 (PDT) Cc: mtk.manpages@gmail.com, Tycho Andersen , Sargun Dhillon , Christian Brauner , linux-man , lkml , Aleksa Sarai , Jann Horn , Alexei Starovoitov , wad@chromium.org, bpf@vger.kernel.org, Song Liu , Daniel Borkmann , Andy Lutomirski , Linux Containers , Giuseppe Scrivano , Robert Sesek Subject: Re: For review: seccomp_user_notif(2) manual page To: Kees Cook References: <45f07f17-18b6-d187-0914-6f341fe90857@gmail.com> <202009301632.9C6A850272@keescook> From: "Michael Kerrisk (man-pages)" Message-ID: Date: Thu, 15 Oct 2020 13:24:03 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <202009301632.9C6A850272@keescook> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Kees, On 10/1/20 1:39 AM, Kees Cook wrote: > On Wed, Sep 30, 2020 at 01:07:38PM +0200, Michael Kerrisk (man-pages) wrote: >> [...] I did :-) > > Yay! Thank you! You're welcome :-) >> [...] >> Overview >> In conventional usage of a seccomp filter, the decision about how >> to treat a particular system call is made by the filter itself. >> The user-space notification mechanism allows the handling of the >> system call to instead be handed off to a user-space process. >> The advantages of doing this are that, by contrast with the sec‐ >> comp filter, which is running on a virtual machine inside the >> kernel, the user-space process has access to information that is >> unavailable to the seccomp filter and it can perform actions that >> can't be performed from the seccomp filter. > > I might clarify a bit with something like (though maybe the > target/supervisor paragraph needs to be moved to the start): > > This is used for performing syscalls on behalf of the target, > rather than having the supervisor make security policy decisions > about the syscall, which would be inherently race-prone. The > target's syscall should either be handled by the supervisor or > allowed to continue normally in the kernel (where standard security > policies will be applied). You, Christian, and Jann all pulled me up on this point. And thanks; I'm going to use some of your words above. See my reply to Jann, sent at about the same time as this reply. Please take a look at the text in my reply to Jann, and let me know what you think. > I'll comment more later, but I've run out of time today and I didn't see > anyone mention this detail yet in the existing threads... :) Later never came :-). But, I hope you may have comments for the next draft, which I will send out soon. Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/