Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp18890pxu;
        Tue, 1 Dec 2020 05:15:21 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxJOO0TvcNABEylYoZ0U2l0B9RSXWwo4tSvhBmuBoQE+5cVC3q4iY4SyzBE4ZfcY3LdyrSX
X-Received: by 2002:a17:906:4982:: with SMTP id p2mr2979329eju.416.1606828521027;
        Tue, 01 Dec 2020 05:15:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606828521; cv=none;
        d=google.com; s=arc-20160816;
        b=Ys6Uf/IC5m9SKXp0X2V83xWi11e4Oj3RNbua+JEPSXZQkg9u3UrIZ8TpoUehraqXuw
         2ru72VxrOPKTVyogKHDXaFzCXHMPCTw5esm6F51fjWIogOS7HkxZVLmjxRyFCbdH+O8n
         f4uhtaEZnpLBSXU+xIGCMcHWveWPNd06a/CHP58kSpJu89VoO82596d/1NfOUg6LN9kf
         UekN63sro+PBtVnBSgR3EH8HjEfIVlGMJkVA6+ZjgQs3CQzuJxK5GskrDHaFheCWPUoZ
         T9/4V2DmzJEtSDHCb2I9JZ0fWpfDe03RSZaVgggRonsJZpZIENqOdvfqpCbrC5EP7juL
         HJ1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=ZGcFuRI/bJF+HhBMzLDe2qGtoT/j0joOqdDzilS2qpo=;
        b=Et9ImW7VsTn1egcx1BOHoWNevazfVHagDNt1/OoNSIYy6aylXJMaJ1W221S8guGGrX
         Qfksf3as+Ze4lOWov6MUglVw7E2LDfRn2F0eskRYJdzcn7/BSTNTaUvstcxix/+upU5H
         MWdBcWtpKDV6G3NzW5o7PAWLhTZ96i1OIlnX9cz5Hfnj0miHMnjDecd+1WJ91iZ7hG3w
         bvIjOpc3aGLSqO+U59ETjoAuyXZcAskrddJYgjBuygtdPUuipJ4F+lOkvhI0quXtUVui
         eXM4+ucebJbrJDz/j/3p04C2XS6L5OBkQ1z/g7pcXyhBQVP2Cy1Sk21HVVzuk27yg15b
         +TtA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=gTV19U7L;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d12si988778edh.221.2020.12.01.05.14.57;
        Tue, 01 Dec 2020 05:15:21 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=gTV19U7L;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390778AbgLANJO (ORCPT <rfc822;shibaboy@gmail.com> + 99 others);
        Tue, 1 Dec 2020 08:09:14 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33534 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388599AbgLANJN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Dec 2020 08:09:13 -0500
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D1F0C0613CF
        for <linux-kernel@vger.kernel.org>; Tue,  1 Dec 2020 05:08:28 -0800 (PST)
Received: by mail-io1-xd32.google.com with SMTP id y5so1500742iow.5
        for <linux-kernel@vger.kernel.org>; Tue, 01 Dec 2020 05:08:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sargun.me; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to
         :user-agent;
        bh=ZGcFuRI/bJF+HhBMzLDe2qGtoT/j0joOqdDzilS2qpo=;
        b=gTV19U7L/PRLjHjLVMBT9mj1qEMnpXhJ4DrO/+phoB5vlcweQ4DDm5pyPwcF/OJKeD
         p1IFSmdvJmxj7FFSzHjtbqBJTkDHtdP2dna0fFX6/moLUXI0ng4cU7iAIkXFEav/LiQL
         g791l9yDscEX979Y+yY4E+S1SLs3YXrE861Bk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=ZGcFuRI/bJF+HhBMzLDe2qGtoT/j0joOqdDzilS2qpo=;
        b=Qm4YoakHWywUCm41Grik3XPMfCbFVaKOB61oFMNDUl2x5FWpnanQkg3OeuVY3uQ1ot
         berwtIbTHWkPfDiDfFozHxajYWXA6cKfGNmWVfp7v47x5xhbduQrT4eFd+3q124XonCu
         kEBu5uDN1+aX01zhg3zbLq9QOmFI3l0rgkevGgliGPUV85AEpTyaiut8MqBnzXN64rVc
         3U0Y7YnmpMdlb+gvYR3FThS9tovQSOGu20K64onVjSaEugwpNDIhUAuG2PRQKo4igUlz
         lqrATXI0WnV2U5ShFvCPRGyxCf5RND8qcAK74w6fYJ6l3QvrlE6k2829JH9mq4tjdDEL
         hVgQ==
X-Gm-Message-State: AOAM533hsW+OKzvir/ZISGflBweRjvF4NutFvi5OmGnnASSkQ3f9k2UR
        vL5q17/mAzlWUP4iHswCo+GeWg==
X-Received: by 2002:a02:3e86:: with SMTP id s128mr2383118jas.131.1606828107257;
        Tue, 01 Dec 2020 05:08:27 -0800 (PST)
Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80])
        by smtp.gmail.com with ESMTPSA id u18sm765171iob.53.2020.12.01.05.08.26
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 01 Dec 2020 05:08:26 -0800 (PST)
Date:   Tue, 1 Dec 2020 13:08:25 +0000
From:   Sargun Dhillon <sargun@sargun.me>
To:     Tycho Andersen <tycho@tycho.pizza>
Cc:     Alban Crequy <alban@kinvolk.io>,
        Giuseppe Scrivano <gscrivan@redhat.com>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Kees Cook <keescook@chromium.org>,
        LKML <linux-kernel@vger.kernel.org>
Subject: Re: SECCOMP_IOCTL_NOTIF_ADDFD race condition
Message-ID: <20201201130824.GA27822@ircssh-2.c.rugged-nimbus-611.internal>
References: <CADZs7q4sw71iNHmV8EOOXhUKJMORPzF7thraxZYddTZsxta-KQ@mail.gmail.com>
 <20201130232009.GC38675@cisco>
 <20201201124105.GB103125@cisco>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20201201124105.GB103125@cisco>
User-Agent: Mutt/1.9.4 (2018-02-28)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 01, 2020 at 07:41:05AM -0500, Tycho Andersen wrote:
> On Mon, Nov 30, 2020 at 06:20:09PM -0500, Tycho Andersen wrote:
> > Idea 1 sounds best to me, but maybe that's because it's the way I
> > originally did the fd support that never landed :)
> > 
> > But here's an Idea 4: we add a way to remotely close an fd (I don't
> > see that the current infra can do this, but perhaps I didn't look hard
> > enough), and then when you get ENOENT you have to close the fd. Of
> > course, this can't be via seccomp, so maybe it's even more racy.
> 
> Or better yet: what if the kernel closed everything it had added via
> ADDFD if it didn't get a valid response from the supervisor? Then
> everyone gets this bug fixed for free.
> 
> Tycho
> _______________________________________________
> Containers mailing list
> Containers@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers

This doesn't solve?the problem universally because of the (Go) preemption 
problem. Unless we can guarantee that the supervisor can always handle the 
request in fewer than 10ms, or if it implements resumption behaviour. I know 
that resumption behaviour is a requirement no matter what, but the easier we can 
make it to implement resumption, the better chance we are giving users to get 
this right.

I think that the easiest solution is to add to the SECCOMP_IOCTL_NOTIF_RECV
ioctl. Either we have a flag like "block all blockable signals" or pass a
sigset_t directly of which signals to allow (and return an einval if they
try to block non-blockable signals).