Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3943479pxb; Mon, 8 Feb 2021 04:14:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJxSqnDdzoPFHbhCpocPiIiAjbG6jCXYSoSje8929wZX2RmxwIlng9awhdH6/cZH3elInFCo X-Received: by 2002:aa7:d648:: with SMTP id v8mr16635822edr.287.1612786489193; Mon, 08 Feb 2021 04:14:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612786489; cv=none; d=google.com; s=arc-20160816; b=Dwy3gVv6LT4dEWCVNtFtsO09YAYxYGuFJ7Zgp4s/0zfDChoaK5R8Of41AM3jKAzLqW 5eAVzF66ZZWlUzdHQzKgH7GcFzczIsDr2oCdbcdawd4hfAujawZZJ1ssBj7uDaXlGR52 CPn/DNg0gUp6UsnTGOcYudS76SXYXPsyXlbWQPgJ5PZ9XGMUQPNBUvlqQ6Lhumt5IYf6 SGRnHcpIRQ1FjMGuZv5jf+9O9iy7CKVhd+OjV0PaB1OmXP2Fjj9w8auIYvZXDkY/N9iX UTB083TA6JCIxbdnU4Hkc1u/wr3Ct2jMH1/rDqT0CqiepfjiuESda+Mfpnn10blpm2Bx Q6Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to; bh=eSsm4jQO/neoX3Ch2wpEOL4BXw57NhkbHpStxs/3o5E=; b=R3v5V7dFpCVx8r8eDKbDm8a5vu7k8fKhmdDsGCo7O0LaG4yFTiDsZxt9JWPjxIg9Sv mYZYUmpm4NYpz3nc3V+JSpAULH3ToZeSyhX0PujDZweVOkyFutvrFOdk4UNoLFQJjsHS X2DROQ8Lw8+YEec+e2MkR3zIVPYVRgQpHFTOmI6WUm7B0QObXEI5mRLgsV+LbZzCTE6q rz6yGGZ9BIjNKRPO9mwxiMQOcgRqfVWYyLHJr2w11vWh3urAQiSFovMysxaGmGyrC981 A0Ml5JeOsr46rrUL56q31l/eBTQWtLBq/5ovu6CMc0bPPVnWOnKmbFaKisWxvxi7YF0B ldDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r12si2905344edp.601.2021.02.08.04.14.25; Mon, 08 Feb 2021 04:14:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231152AbhBHMLL (ORCPT + 99 others); Mon, 8 Feb 2021 07:11:11 -0500 Received: from mail.netline.ch ([148.251.143.178]:51254 "EHLO netline-mail3.netline.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233437AbhBHLuR (ORCPT ); Mon, 8 Feb 2021 06:50:17 -0500 Received: from localhost (localhost [127.0.0.1]) by netline-mail3.netline.ch (Postfix) with ESMTP id 1EB102A6046; Mon, 8 Feb 2021 12:49:31 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at netline-mail3.netline.ch Received: from netline-mail3.netline.ch ([127.0.0.1]) by localhost (netline-mail3.netline.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id OJzn5Nd4XMaf; Mon, 8 Feb 2021 12:49:30 +0100 (CET) Received: from thor (24.99.2.85.dynamic.wline.res.cust.swisscom.ch [85.2.99.24]) by netline-mail3.netline.ch (Postfix) with ESMTPSA id 641222A6042; Mon, 8 Feb 2021 12:49:30 +0100 (CET) Received: from [::1] by thor with esmtp (Exim 4.94) (envelope-from ) id 1l952n-001pI0-CW; Mon, 08 Feb 2021 12:49:29 +0100 To: Daniel Vetter , Kees Cook , "airlied@gmail.com" Cc: Will Drewry , Jann Horn , intel-gfx , Linux Kernel Mailing List , dri-devel , Andy Lutomirski , Andrew Morton , Chris Wilson References: <20210205163752.11932-1-chris@chris-wilson.co.uk> <202102051030.1AF01772D@keescook> From: =?UTF-8?Q?Michel_D=c3=a4nzer?= Subject: Re: [PATCH] kernel: Expose SYS_kcmp by default Message-ID: <5a940e13-8996-e9e5-251e-a9af294a39ff@daenzer.net> Date: Mon, 8 Feb 2021 12:49:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-02-05 9:53 p.m., Daniel Vetter wrote: > On Fri, Feb 5, 2021 at 7:37 PM Kees Cook wrote: >> >> On Fri, Feb 05, 2021 at 04:37:52PM +0000, Chris Wilson wrote: >>> Userspace has discovered the functionality offered by SYS_kcmp and has >>> started to depend upon it. In particular, Mesa uses SYS_kcmp for >>> os_same_file_description() in order to identify when two fd (e.g. device >>> or dmabuf) point to the same struct file. Since they depend on it for >>> core functionality, lift SYS_kcmp out of the non-default >>> CONFIG_CHECKPOINT_RESTORE into the selectable syscall category. >>> >>> Signed-off-by: Chris Wilson >>> Cc: Kees Cook >>> Cc: Andy Lutomirski >>> Cc: Will Drewry >>> Cc: Andrew Morton >>> Cc: Dave Airlie >>> Cc: Daniel Vetter >>> Cc: Lucas Stach >>> --- >>> init/Kconfig | 11 +++++++++++ >>> kernel/Makefile | 2 +- >>> tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- >>> 3 files changed, 13 insertions(+), 2 deletions(-) >>> >>> diff --git a/init/Kconfig b/init/Kconfig >>> index b77c60f8b963..f62fca13ac5b 100644 >>> --- a/init/Kconfig >>> +++ b/init/Kconfig >>> @@ -1194,6 +1194,7 @@ endif # NAMESPACES >>> config CHECKPOINT_RESTORE >>> bool "Checkpoint/restore support" >>> select PROC_CHILDREN >>> + select KCMP >>> default n >>> help >>> Enables additional kernel features in a sake of checkpoint/restore. >>> @@ -1737,6 +1738,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS >>> config ARCH_HAS_MEMBARRIER_SYNC_CORE >>> bool >>> >>> +config KCMP >>> + bool "Enable kcmp() system call" if EXPERT >>> + default y >> >> I would expect this to be not default-y, especially if >> CHECKPOINT_RESTORE does a "select" on it. >> >> This is a really powerful syscall, but it is bounded by ptrace access >> controls, and uses pointer address obfuscation, so it may be okay to >> expose this. As it is, at least Ubuntu already has >> CONFIG_CHECKPOINT_RESTORE, so really, there's probably not much >> difference on exposure. >> >> So, if you drop the "default y", I'm fine with this. > > It was maybe stupid, but our userspace started relying on fd > comaprison through sys_kcomp. So for better or worse, if you want to > run the mesa3d gl/vk stacks, you need this. That's overstating things somewhat. The vast majority of applications will work fine regardless (as they did before Mesa started using this functionality). Only some special ones will run into issues, because the user-space drivers incorrectly assume two file descriptors reference different descriptions. > Was maybe not the brighest ideas, but since enough distros had this > enabled by defaults, Right, that (and the above) is why I considered it fair game to use. What should I have done instead? (TBH I was surprised that this functionality isn't generally available) > it wasn't really discovered, and now we're > shipping this everywhere. You're making it sound like this snuck in secretly somehow, which is not true of course. > Ofc we can leave the default n, but the select if CONFIG_DRM is > unfortunately needed I think. Per above, not sure this is really true. -- Earthling Michel Dänzer | https://redhat.com Libre software enthusiast | Mesa and X developer