Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp18890pxu; Tue, 1 Dec 2020 05:15:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJxJOO0TvcNABEylYoZ0U2l0B9RSXWwo4tSvhBmuBoQE+5cVC3q4iY4SyzBE4ZfcY3LdyrSX X-Received: by 2002:a17:906:4982:: with SMTP id p2mr2979329eju.416.1606828521027; Tue, 01 Dec 2020 05:15:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606828521; cv=none; d=google.com; s=arc-20160816; b=Ys6Uf/IC5m9SKXp0X2V83xWi11e4Oj3RNbua+JEPSXZQkg9u3UrIZ8TpoUehraqXuw 2ru72VxrOPKTVyogKHDXaFzCXHMPCTw5esm6F51fjWIogOS7HkxZVLmjxRyFCbdH+O8n f4uhtaEZnpLBSXU+xIGCMcHWveWPNd06a/CHP58kSpJu89VoO82596d/1NfOUg6LN9kf UekN63sro+PBtVnBSgR3EH8HjEfIVlGMJkVA6+ZjgQs3CQzuJxK5GskrDHaFheCWPUoZ T9/4V2DmzJEtSDHCb2I9JZ0fWpfDe03RSZaVgggRonsJZpZIENqOdvfqpCbrC5EP7juL HJ1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ZGcFuRI/bJF+HhBMzLDe2qGtoT/j0joOqdDzilS2qpo=; b=Et9ImW7VsTn1egcx1BOHoWNevazfVHagDNt1/OoNSIYy6aylXJMaJ1W221S8guGGrX Qfksf3as+Ze4lOWov6MUglVw7E2LDfRn2F0eskRYJdzcn7/BSTNTaUvstcxix/+upU5H MWdBcWtpKDV6G3NzW5o7PAWLhTZ96i1OIlnX9cz5Hfnj0miHMnjDecd+1WJ91iZ7hG3w bvIjOpc3aGLSqO+U59ETjoAuyXZcAskrddJYgjBuygtdPUuipJ4F+lOkvhI0quXtUVui eXM4+ucebJbrJDz/j/3p04C2XS6L5OBkQ1z/g7pcXyhBQVP2Cy1Sk21HVVzuk27yg15b +TtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=gTV19U7L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si988778edh.221.2020.12.01.05.14.57; Tue, 01 Dec 2020 05:15:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=gTV19U7L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390778AbgLANJO (ORCPT + 99 others); Tue, 1 Dec 2020 08:09:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388599AbgLANJN (ORCPT ); Tue, 1 Dec 2020 08:09:13 -0500 Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D1F0C0613CF for ; Tue, 1 Dec 2020 05:08:28 -0800 (PST) Received: by mail-io1-xd32.google.com with SMTP id y5so1500742iow.5 for ; Tue, 01 Dec 2020 05:08:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=ZGcFuRI/bJF+HhBMzLDe2qGtoT/j0joOqdDzilS2qpo=; b=gTV19U7L/PRLjHjLVMBT9mj1qEMnpXhJ4DrO/+phoB5vlcweQ4DDm5pyPwcF/OJKeD p1IFSmdvJmxj7FFSzHjtbqBJTkDHtdP2dna0fFX6/moLUXI0ng4cU7iAIkXFEav/LiQL g791l9yDscEX979Y+yY4E+S1SLs3YXrE861Bk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=ZGcFuRI/bJF+HhBMzLDe2qGtoT/j0joOqdDzilS2qpo=; b=Qm4YoakHWywUCm41Grik3XPMfCbFVaKOB61oFMNDUl2x5FWpnanQkg3OeuVY3uQ1ot berwtIbTHWkPfDiDfFozHxajYWXA6cKfGNmWVfp7v47x5xhbduQrT4eFd+3q124XonCu kEBu5uDN1+aX01zhg3zbLq9QOmFI3l0rgkevGgliGPUV85AEpTyaiut8MqBnzXN64rVc 3U0Y7YnmpMdlb+gvYR3FThS9tovQSOGu20K64onVjSaEugwpNDIhUAuG2PRQKo4igUlz lqrATXI0WnV2U5ShFvCPRGyxCf5RND8qcAK74w6fYJ6l3QvrlE6k2829JH9mq4tjdDEL hVgQ== X-Gm-Message-State: AOAM533hsW+OKzvir/ZISGflBweRjvF4NutFvi5OmGnnASSkQ3f9k2UR vL5q17/mAzlWUP4iHswCo+GeWg== X-Received: by 2002:a02:3e86:: with SMTP id s128mr2383118jas.131.1606828107257; Tue, 01 Dec 2020 05:08:27 -0800 (PST) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id u18sm765171iob.53.2020.12.01.05.08.26 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 01 Dec 2020 05:08:26 -0800 (PST) Date: Tue, 1 Dec 2020 13:08:25 +0000 From: Sargun Dhillon To: Tycho Andersen Cc: Alban Crequy , Giuseppe Scrivano , Linux Containers , Kees Cook , LKML Subject: Re: SECCOMP_IOCTL_NOTIF_ADDFD race condition Message-ID: <20201201130824.GA27822@ircssh-2.c.rugged-nimbus-611.internal> References: <20201130232009.GC38675@cisco> <20201201124105.GB103125@cisco> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20201201124105.GB103125@cisco> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 01, 2020 at 07:41:05AM -0500, Tycho Andersen wrote: > On Mon, Nov 30, 2020 at 06:20:09PM -0500, Tycho Andersen wrote: > > Idea 1 sounds best to me, but maybe that's because it's the way I > > originally did the fd support that never landed :) > > > > But here's an Idea 4: we add a way to remotely close an fd (I don't > > see that the current infra can do this, but perhaps I didn't look hard > > enough), and then when you get ENOENT you have to close the fd. Of > > course, this can't be via seccomp, so maybe it's even more racy. > > Or better yet: what if the kernel closed everything it had added via > ADDFD if it didn't get a valid response from the supervisor? Then > everyone gets this bug fixed for free. > > Tycho > _______________________________________________ > Containers mailing list > Containers@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/containers This doesn't solve?the problem universally because of the (Go) preemption problem. Unless we can guarantee that the supervisor can always handle the request in fewer than 10ms, or if it implements resumption behaviour. I know that resumption behaviour is a requirement no matter what, but the easier we can make it to implement resumption, the better chance we are giving users to get this right. I think that the easiest solution is to add to the SECCOMP_IOCTL_NOTIF_RECV ioctl. Either we have a flag like "block all blockable signals" or pass a sigset_t directly of which signals to allow (and return an einval if they try to block non-blockable signals).