Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp266099pxx; Thu, 29 Oct 2020 02:00:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVqq/BKoTntYZO9TSjhEVV4NGMSeGPWfP39YvEtE7ipXget3jQZIB1YdOCPUBqmXkFP5UP X-Received: by 2002:a17:906:c20f:: with SMTP id d15mr2919194ejz.341.1603962007004; Thu, 29 Oct 2020 02:00:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603962006; cv=none; d=google.com; s=arc-20160816; b=nDLfb0eYzdIaGkUMU65dYbTSUwfepkpu1FMhskpaTyTk04dgySnanhkbN+wqZfsHoq gNYebTgRpfUb6dBMgmkSeLaoLiqDZat0dZrrVD00I8jO4Y26GRl6dZ4dIAqm0NlPiWHU ayDOPQHkN85KpE73KMUwN36W2XRzdsm8ieBg9JULDp3wwvyvsDr9FLOCEg+VMtOysJPp ZZxsv4/gjzOtr5eCz+V+boqPPMcGjOqGwcUVzL01dBZBLls2eV4DBEFLlaCbQef928OY yMzQ59qFgDlIMoM8hZlYUaqckL9z+oXUgxE9IooTJdSq43/TDIudQyTlMGeCDPmuTdId 2fVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=5bZHSqby9xc03fv8b/uQtgTC0sysq05Jdo5tS6hC7Bk=; b=EEXqnRONKdyC/pEpZQEYxDL7Mojj4NcMwCYHekYV5qHUQmmKmPgSva1i7MwcHFZ7bv 6wzVlThi41jP6P01EnPTZVaUkrH2d3OWD9aQqEPezfxvFPIdFA4CVt1IJmwK7kjAxYTE WcwUXm0zz96k3gkAlbD7cdoBJGlf5CI7Xjvvk3AQmp80qtDWossDLdrbP5z/azsfLkBj QHZ1WJ5/UZV159vOm38drQ/I+iVkON6in6aC5VgVj4gLePkqHXum9Bixbi76vY4snQP6 CFOywVvdfO4aRxPHCLQKNaU/hhAU6NNBxsDBmL8fOrNBcDtDIxfJ6Qs4EZHvKRhp2r1I vF6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vCF7BqYv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dg11si1480959edb.246.2020.10.29.01.59.45; Thu, 29 Oct 2020 02:00:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vCF7BqYv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728395AbgJ2H0j (ORCPT + 99 others); Thu, 29 Oct 2020 03:26:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728277AbgJ2HY7 (ORCPT ); Thu, 29 Oct 2020 03:24:59 -0400 Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1C22C061789 for ; Wed, 28 Oct 2020 21:26:34 -0700 (PDT) Received: by mail-lf1-x12b.google.com with SMTP id l28so1578507lfp.10 for ; Wed, 28 Oct 2020 21:26:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5bZHSqby9xc03fv8b/uQtgTC0sysq05Jdo5tS6hC7Bk=; b=vCF7BqYvpPENaZQ1ij18cOuBn3mjiDl59S9e8pNu4I8MoMuZo8/ftg0Y9yOuESZN09 VBw04wGTblOlqn6/d//nxST8d02fERV2k+Yqvoj5KIf/bU8IslsX99d6mIRXJv1H9eZ7 dPdYqdkXenA5Mtf/Ci6Vn4NPk9RQpMYT+WOlqRhTU68ApcUfhfJDbQ4ydF1Vj8SKnJb5 kYkD7iFe2dzDG5UlFj7yPh8AaapCSTfLe8HSbb08Qh60EKjEcTHQBTCNu6MPXVwS2U+e ddO/4+yG92LPOzOsogodfabgmFl0yPhga3RhQIlJ6Ulkl1MZebH5vSSbg1KnGyrTMNXW E67w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5bZHSqby9xc03fv8b/uQtgTC0sysq05Jdo5tS6hC7Bk=; b=L6PK5as8hzg6Qd+ys4VQCByg4lS+Sz1HU30zctTY7aC/qBr8wswGPSi8YzCmhCHVXY s9WGGSIaVTqUkEYowrBbrUS5GzrLnGpRii6zadcCe07SoyKUHPUK776UdmvolqS11tKF +NJwcxv0DVL7U7aY7JDeyt7+7UT+z4hvWyxbRhAaXZlCSSNfYSdDZxCSHRAkwmw5IODk uhVjSur48JEsDNWiMijD/jFj7SU1l8rh9MQrPfQzFEh/TS34g0INVqc3TevwEwh//vgf YYQUT2I6rp+hewxdQoD/oQVHNmCwJzRypCZ7IGxisLQtzrg2+QbQRyleJV7ltuvR2Kej AjjA== X-Gm-Message-State: AOAM533EFYxW8k7civLl2Yf6N34SWlYWzS1eER/6c9nJMnNGACwLDDOw SBsBGuLVW9x1Q6EZt+P6QVl0FKk8e4QX/RyryB2qmg== X-Received: by 2002:a19:c357:: with SMTP id t84mr773624lff.34.1603945592793; Wed, 28 Oct 2020 21:26:32 -0700 (PDT) MIME-Version: 1.0 References: <45f07f17-18b6-d187-0914-6f341fe90857@gmail.com> <20200930150330.GC284424@cisco> <8bcd956f-58d2-d2f0-ca7c-0a30f3fcd5b8@gmail.com> <20200930230327.GA1260245@cisco> <20200930232456.GB1260245@cisco> <202010251725.2BD96926E3@keescook> <20201029021348.GB25673@cisco> In-Reply-To: <20201029021348.GB25673@cisco> From: Jann Horn Date: Thu, 29 Oct 2020 05:26:05 +0100 Message-ID: Subject: Re: For review: seccomp_user_notif(2) manual page To: Tycho Andersen Cc: Kees Cook , "Michael Kerrisk (man-pages)" , Sargun Dhillon , Christian Brauner , linux-man , lkml , Aleksa Sarai , Alexei Starovoitov , Will Drewry , bpf , Song Liu , Daniel Borkmann , Andy Lutomirski , Linux Containers , Giuseppe Scrivano , Robert Sesek Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 29, 2020 at 3:13 AM Tycho Andersen wrote: > > > Consider the following scenario (with supervisor "S" and target "T"; S > > > wants to wait for events on two file descriptors seccomp_fd and > > > other_fd): > > > > > > S: starts poll() to wait for events on seccomp_fd and other_fd > > > T: performs a syscall that's filtered with RET_USER_NOTIF > > > S: poll() returns and signals readiness of seccomp_fd > > > T: receives signal SIGUSR1 > > > T: syscall aborts, enters signal handler > > > T: signal handler blocks on unfiltered syscall (e.g. write()) > > > S: starts SECCOMP_IOCTL_NOTIF_RECV > > > S: blocks because no syscalls are pending > > > > > > Depending on what other_fd is, this could in a worst case even lead to > > > a deadlock (if e.g. the signal handler wants to write to stdout, but > > > the stdout fd is hooked up to other_fd in the supervisor, but the > > > supervisor can't consume the data written because it's stuck in > > > seccomp handling). > > > > > > So we have to ensure that when existing code (like that crun code you > > > linked to) triggers this case, SECCOMP_IOCTL_NOTIF_RECV returns > > > immediately instead of blocking. > > > > Or I guess we could also just set O_NONBLOCK on the fd by default? > > Since the one existing user is eventloop-based... > > I feel like it's ok to return an error from the RECV ioctl() if > there's never going to be any more events on the fd; was there > something fundamentally wrong with your patch here: > https://lore.kernel.org/bpf/CAG48ez2xn+_KznEztJ-eVTsTzkbf9CVgPqaAk7TpRNAqbdaRoA@mail.gmail.com/ > ? No, I have a new version of that about 80% done and hope to send it out soonish. (There's some stuff around tests that I still need to cobble together).