Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3846838pxy;
        Mon, 26 Apr 2021 11:07:43 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxqawBeabITEMMqhCpkiv/pu/shgWpLgQEaUn13UG7VDWrDC7lALlxzXqRKaRQ99+mfBc0I
X-Received: by 2002:aa7:c746:: with SMTP id c6mr22388273eds.169.1619460463324;
        Mon, 26 Apr 2021 11:07:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619460463; cv=none;
        d=google.com; s=arc-20160816;
        b=rTSUVZD3T4uj5Z35HhbS23co0BtgXFLBKiN4VnIX5Nk8yB05J0z5x573mZ4BlgEe+6
         E/C1rndfjgGUjde5kmH/WoYTEh/yQstdOiDK1Hp0mLQgKT0zf6LQyoiAfzYW3LF6tJYb
         TBLWNfqGTljWHuZxnTj2ZaNK85ypuh91o2emi1U+wt7P1BLVHMgj6RoWkjMoRuk+8CNi
         civ83xZA5sAOsGXH9/NRd6PdhIhbgmDv6IWZQs185L6k5754Fl+eRFK+FK24kGXtTuRc
         KS3YMWa2AR1+tjjtVudNNtQyCVCSZz1/On61mkS0d1k5V0YxVT92YFbPYFzldsL+v1+J
         KPZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=crrXl04Pmuu3hnq0cq7H9ljH1hJvjphFD3Ivc9bSiG0=;
        b=wDrZ08h8oqtswF+AIgDHDrxSCRzOtozj8fiod861VzcpvoejpxdaAQ1d3jz6/j4ncw
         iiCZho0sPKrUQGssLeipqD6qrvzA29aflRo3RQy9/TE18tV+S+thmLoVsH+BwrBZVsVS
         9ePfNVjE+g4RruX4MiJPNHvCkaUMp8M/4xjTX+2DfEjSiwzWe7LEN/EcxXEeFUzeowA8
         BwKMsPByGQm9otZjjpXLDSRFcovC2VaxjxITRyuiqJ/RS/BhCYc0xjfWhRVkgYjbtZij
         kZFMTwzPr42Y2cnEbS5HrC9ib9kMgu7dUqOkOgM9O2NKib1lA7093nMUyxSASWCSRUy6
         wH9w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=KkujWiFE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v7si425469edj.328.2021.04.26.11.07.19;
        Mon, 26 Apr 2021 11:07:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sargun.me header.s=google header.b=KkujWiFE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234224AbhDZSG5 (ORCPT <rfc822;liujingjun001@gmail.com>
        + 99 others); Mon, 26 Apr 2021 14:06:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39320 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233842AbhDZSG4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Apr 2021 14:06:56 -0400
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E004FC061574
        for <linux-kernel@vger.kernel.org>; Mon, 26 Apr 2021 11:06:14 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id h20so29378519plr.4
        for <linux-kernel@vger.kernel.org>; Mon, 26 Apr 2021 11:06:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sargun.me; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=crrXl04Pmuu3hnq0cq7H9ljH1hJvjphFD3Ivc9bSiG0=;
        b=KkujWiFEtrvDAwAIA9yFog0WvpXFYbxTqf2G6PUO4jUn/BaScPI3Tya5PV1L/3Cphv
         X1quUztMcdUAqr1aNZoIlFF8shCRsL5iSXKoT8rL4PBYQhGnkwuUnww3FRvMfW4iIBNf
         yqRb+3jdPBjRhm2gSJJjyoJKi8vUJjO8Jgrn8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=crrXl04Pmuu3hnq0cq7H9ljH1hJvjphFD3Ivc9bSiG0=;
        b=luZeH2JXkmcCn0rdhZ7viNkkl8uxbISWXc8xkd7fX5ZmUMuDogo/OWAgh6cBv9VKt1
         FPeNJXAolDVtJCnpKTeToferhLybyTcz9cKkja4XZFNUY3z7Ny4RwmL4jXtqJSHCS3UR
         j5tOsIzllD3q29oGQz83M19gLj5EkBPknmSMuDkJPCJGds79xfnOvYrKPwz4Y6Z/dkPv
         vhAqS7T1wNK/cnSsGEg5CzGB3xoOG2xXOZqQ0BmSOyU+VqTjyTDB3vo7Y8pT+4GNtITE
         H6rawZaFaCOsX9hKd9BA+9HdfS+5l9m2V8Tx04XEVoOUPXHuIugYpASKLkZhgAMrwzcw
         EM9A==
X-Gm-Message-State: AOAM530dbitGrv/vKzLycHMmTQt5TU+ZaWGZ7Ffe2SK8mf3YxfY+6FRC
        501zzys2Bcwu1b2LYLYSEP0Uqg==
X-Received: by 2002:a17:90b:3754:: with SMTP id ne20mr4999359pjb.39.1619460374084;
        Mon, 26 Apr 2021 11:06:14 -0700 (PDT)
Received: from ubuntu.netflix.com (136-25-20-203.cab.webpass.net. [136.25.20.203])
        by smtp.gmail.com with ESMTPSA id j7sm326835pfd.129.2021.04.26.11.06.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 26 Apr 2021 11:06:13 -0700 (PDT)
From:   Sargun Dhillon <sargun@sargun.me>
To:     Kees Cook <keescook@chromium.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Rodrigo Campos <rodrigo@kinvolk.io>,
        Christian Brauner <christian.brauner@ubuntu.com>
Cc:     Sargun Dhillon <sargun@sargun.me>,
        =?UTF-8?q?Mauricio=20V=C3=A1squez=20Bernal?= <mauricio@kinvolk.io>,
        Tycho Andersen <tycho@tycho.pizza>,
        Giuseppe Scrivano <gscrivan@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Will Drewry <wad@chromium.org>, Alban Crequy <alban@kinvolk.io>
Subject: [PATCH RESEND 0/5] Handle seccomp notification preemption
Date:   Mon, 26 Apr 2021 11:06:05 -0700
Message-Id: <20210426180610.2363-1-sargun@sargun.me>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patchset addresses a race condition we've dealt with recently with
seccomp. Specifically programs interrupting syscalls while they're in
progress. This was exacerbated by Golang's recent adoption of "async
preemption", in which they try to interrupt any syscall that's been
running for more than 10ms during GC. During certain syscalls, it's
non-trivial to write them in a reetrant manner in userspace (mount).

This has a couple semantic changes, and relaxes a check on seccomp_data, and
changes the semantics with ordering of how addfd and notification replies
in the supervisor are handled.

I'm resending after rebasing and testing on v5.12. It turns out this change
also fixed a bug Rodrigo found that could occur with addfd around certain
race conditions[2].

It also follows up on the original proposal from Tycho[3] to allow
for adding an FD and returning that value atomically.

Changes since v1[1]:
 * Fix some documentation
 * Add Rata's patches to allow for direct return from addfd

[1]: https://lore.kernel.org/lkml/20210220090502.7202-1-sargun@sargun.me/
[2]: https://lore.kernel.org/lkml/20210413160151.3301-1-rodrigo@kinvolk.io/
[3]: https://lore.kernel.org/lkml/202012011322.26DCBC64F2@keescook/


Rodrigo Campos (2):
  seccomp: Support atomic "addfd + send reply"
  selftests/seccomp: Add test for atomic addfd+send

Sargun Dhillon (3):
  seccomp: Refactor notification handler to prepare for new semantics
  seccomp: Add wait_killable semantic to seccomp user notifier
  selftests/seccomp: Add test for wait killable notifier

 .../userspace-api/seccomp_filter.rst          |  15 +-
 include/uapi/linux/seccomp.h                  |   4 +
 kernel/seccomp.c                              | 129 ++++++++++++++----
 tools/testing/selftests/seccomp/seccomp_bpf.c | 102 ++++++++++++++
 4 files changed, 220 insertions(+), 30 deletions(-)


base-commit: 9f4ad9e425a1d3b6a34617b8ea226d56a119a717
-- 
2.25.1