Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp407301pxy; Wed, 28 Apr 2021 06:46:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzB3cgKCFjwza0VhvSHjv3MAls7HKEv8HX/NyflCQw9e4rjBoj3YBvpWY5NTHudHQjPrKgH X-Received: by 2002:a05:6402:4314:: with SMTP id m20mr11102987edc.5.1619617582789; Wed, 28 Apr 2021 06:46:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619617582; cv=none; d=google.com; s=arc-20160816; b=Ch6qKJkm7bEbqBciC9JleJlX7evQ5IVZn5PfMdaYvKqoksU2S4JyS011KrTT35GRbp qNszWipEBM/WyjfCVv9g8Vh0aOLo+yQnnsJyV2rn2l7CwClV2zNJdIxh5XGZIhJnEncw y5LRkmFWNR1l/vRyUcPXbe1A4SdG37oYtnOi0EB3VFY7Hou4FEd97tBgmExhpwxVSVAC lMlWJaGbz+E18GJxkSuS+CpteHmRzd7B2Ql2abCPMLT3KJgd/oQuLhzSwjAlD7TFVUMA 8mDTuXIpTNv4l47F1B4pczCxNlDO7v2gqOjwMy+fipKbYlQ3OvwT9aigP/w02LD6yv1o XlQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=uyfujupd+nn5QDO9renTFnifqj77qdb+Pu4FnljETRM=; b=Zsa50UMZ6LtIAWBYa8gNHg8KS2XIe8OvVMTQ1N9u84UKBZ/x8i9fYD/nBGTq1Tr+C4 y2i02vxxkNgMqcuLwgEjF9k2E6JaN63rTHKWMY52jkSFgCILmqySfgOAJvujTNfJqcbp 51XIIdtVGCDyh/J53IApq2oeEWuk20yDNFN2gmjQyE7CIHmCTtPSpKrNsow3CW1tRTlW hxgbXvJAbIVkfrQFHbHpkULNJxOgLATH/akL+pvGzI3VRhcplhAusOtdepWSCdGDWidU xKwVhgYOEnr3esrLxkmOzRyKC0gfPz4xX7qY6XJvJMxis5m36xCLy0eKnJqCld2iVRjK zuIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=gtHUnUjc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kinvolk.io Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y7si4991238edc.242.2021.04.28.06.45.58; Wed, 28 Apr 2021 06:46:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=gtHUnUjc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kinvolk.io Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239194AbhD1LMO (ORCPT + 99 others); Wed, 28 Apr 2021 07:12:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238599AbhD1LMM (ORCPT ); Wed, 28 Apr 2021 07:12:12 -0400 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CCD2C061574 for ; Wed, 28 Apr 2021 04:11:26 -0700 (PDT) Received: by mail-lf1-x136.google.com with SMTP id x20so68230894lfu.6 for ; Wed, 28 Apr 2021 04:11:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uyfujupd+nn5QDO9renTFnifqj77qdb+Pu4FnljETRM=; b=gtHUnUjcLgmxwsgWIIOf8S/iDfnzWUGSnw/WqI9y2//8sFp6qgXEM166UhuVsXcx/R qGlFx9kB/9NKu/QNkYaAe2i6SpgZAoxyFQM2GLXntmB5DijUeMqcwhHV07sFAvuHQHIP OFvq2LbO/SqGzD2czTrq8ZGIJxCIEHXVnD3Us= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uyfujupd+nn5QDO9renTFnifqj77qdb+Pu4FnljETRM=; b=NP6WuOBc5Yv9gWehMncmZD2A0zACuYjhnxz6rqto8sjLZHdz8ElavEBhsve5t8NbuA opFyP7u9VzElRD+EyXjB5xThuU/HXTGPnLV6IT0rmgsXNNEgXpXbA387wWvyJPULsVnL tc0Kkfxdul2ko54fjJdttBx4AJiOzIQD2QHCBlwhG4LctsUwEnl0y6o176vvTSa+7cC5 pyz0FlcxWO5LONmoT7eck5Nsp1rRZ25IU7pXKFqNGPpoctCNpYlG54C1F04B/vJjZ5m7 7Wx+SrU7pCH+5681oQqn+QKIHDTY2AXkTDXPF9YOHKmm2MP3h++Bi+ALRwFtNSKUyLVp CjUg== X-Gm-Message-State: AOAM532xEObZaURCXpEd923yQucyu6m8hmqZGacdNIH8IXrQm9gp5QoS BaPv/fG238cT+HOv8NRaq83zy7B8KFFiwqIIF/y6Sg== X-Received: by 2002:ac2:5335:: with SMTP id f21mr20269909lfh.288.1619608284816; Wed, 28 Apr 2021 04:11:24 -0700 (PDT) MIME-Version: 1.0 References: <20210426180610.2363-1-sargun@sargun.me> <20210426180610.2363-3-sargun@sargun.me> <20210426190229.GB1605795@cisco> <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> <20210427134853.GA1746081@cisco> <20210427170753.GA1786245@cisco> <20210427221028.GA16602@ircssh-2.c.rugged-nimbus-611.internal> <20210428002215.GB1786245@cisco> In-Reply-To: <20210428002215.GB1786245@cisco> From: Rodrigo Campos Date: Wed, 28 Apr 2021 13:10:49 +0200 Message-ID: Subject: Re: [PATCH RESEND 2/5] seccomp: Add wait_killable semantic to seccomp user notifier To: Tycho Andersen Cc: Andy Lutomirski , Sargun Dhillon , Kees Cook , LKML , Linux Containers , Christian Brauner , =?UTF-8?Q?Mauricio_V=C3=A1squez_Bernal?= , Giuseppe Scrivano , Will Drewry , Alban Crequy Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 28, 2021 at 2:22 AM Tycho Andersen wrote: > > On Tue, Apr 27, 2021 at 04:19:54PM -0700, Andy Lutomirski wrote: > > User notifiers should allow correct emulation. Right now, it doesn't, > > but there is no reason it can't. > > Thanks for the explanation. > > Consider fsmount, which has a, > > ret = mutex_lock_interruptible(&fc->uapi_mutex); > if (ret < 0) > goto err_fsfd; > > If a regular task is interrupted during that wait, it return -EINTR > or whatever back to userspace. > > Suppose that we intercept fsmount. The supervisor decides the mount is > OK, does the fsmount, injects the mount fd into the container, and > then the tracee receives a signal. At this point, the mount fd is > visible inside the container. The supervisor gets a notification about > the signal and revokes the mount fd, but there was some time where it > was exposed in the container, whereas with the interrupt in the native > syscall there was never any exposure. IIUC, this is solved by my patch, patch 4 of the series. The supervisor should do the addfd with the flag added in that patch (SECCOMP_ADDFD_FLAG_SEND) for an atomic "addfd + send". That means when using the atomic "addfd+send" what happens is: either we add the fd _and_ the added fd value is returned to the syscall or the fd is not added at all and the container sees the syscall as interrupted. Therefore, the fd is only visible to the container when it should. Best, Rodrigo